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1.  SUMMARY 


This  report  describes  a  technology  program  for  an  actuation 
concept  that  is  considered  to  be  a  candidate  system  for  a 
research  test  vehicle.  In  addition  to  covering  the  basic 
program,  the  report  includes  in  the  Appendices  a  detailed 
discussion  of  the  actuation  concept,  copy  of  the  Integration 
Test  Plan,  and  a  Reliability  Analysis  of  the  actuation  concept 
prepared  under  a  Bell  Helicopter  IR&D  program. 

1.1  SCOPE 

This  program  included  a  preliminary  design  study  of  a  4-axis 
fault-tolerant  actuation  system  and  also  the  design,  fabrica¬ 
tion,  testing,  and  evaluation  of  a  laboratory  model  of  the 
actuation  system  for  use  in  a  potential  test  helicopter.  The 
actuation  concept  used  in  this  program  was  a  derivative  of  the 
4-valve  Fly-By-Wire  (FBW)  actuation  system  that  was  conceptu¬ 
ally  developed  and  tested  under  a  Bell  Helicopter  funded 
program.  The  4-valve  concept  is  summarized  later  in  Section  2 
and  covered  in  more  detail  in  Appendix  A. 

The  4-axis  fault- tolerant  actuation  system  was  predesigned  for 
operation  with  a  triplex  Automatic  Flight  Control  System 
(AFCS )  as  well  as  to  accommodate  the  installation  requirements 
in  the  test  helicopter.  Each  actuator  assembly  consists  of  a 
dual,  series-type,  AFCS  actuator  interfaced  with  a  single¬ 
piston  primary  actuator  in  a  manner  to  produce  an  output  that 
is  the  summation  of  pilot  and  AFCS  inputs.  Two  electrical  and 
hydraulic  power  supplies  were  used  to  provide  a  failure  toler¬ 
ance  level  (FTL)  of  single  fail-operate.  The  system  was  also 
configured  so  that  in  the  event  of  a  total  loss  of  hydraulic 
and/or  electrical  power,  the  test  aircraft  could  be  flown 
manually.  The  AFCS  was  interfaced  with  the  associated  sensors 
and  electrical  control  paths  to  effect  a  quadruplex  control 
path  system  with  an  FTL  of  dual  fail-operate.  The  preliminary 
design  of  the  4-axis  control  system  is  defined  in  Section  2. 

The  laboratory  model  of  the  actuation  system  was  designed  and 
fabricated  using  existing  equipment  from  the  Bell  IR&D  program 
when  feasible.  Hence,  the  laboratory  model  was  functionally 
the  same  as  the  preliminary  system  but  not  physically  the 
same.  This  equipment  was  installed  on  a  existing  test  stand 
that  was  modified  to  accommodate  the  installation  and  test  of 
the  fault- tolerant  AFCS  actuator,  primary  actuator,  load 
actuator,  and  the  associated  electronics.  Integration  tests 
were  conducted  to  assure  operational  suitability,  simulated 
failures  were  inserted  to  validate  the  failure/management 
circuitry.  This  effort  is  discussed  further  in  Section  2. 


1.2  CONCLUSIONS 


The  4-valve  actuation  system  has  been  evaluated  within  the 
scope  of  this  program  and  is  recommended  as  a  valid  candidate 
for  a  fault-tolerant  actuation  system  in  a  selected  test 
helicopter.  This  recommendation  is  based  on  the  pertinent 
attributes  listed  below. 

•  Simplicity  -  functionally,  as  well  as  low  parts  count, 
relates  to  good  reliability,  low  cost,  and  low  weight. 

•  Unique  failure/roanagement  -  more  than  satisfies  fault- 
tolerance  requirements;  has  a  control  path  FTL  of  dual 
fail-operate  and  power  supply/basic  actuator  FTL  of 
single  fail-operate. 

•  Unique  multiple-path  tracking  feature  -  makes  the  system 
less  sensitive  to  tolerance  problems  associated  with 
control  path  elements. 

•  Easily  retrofitted  -  actuator  output  can  be  differenti- 
ally  mixed  with  the  pilot  control  or  can  replace  the 
primary  actuator  and  used  as  a  FBW  actuator. 

The  concept  can  also  be  extended  to  encompass  a  variety  of 
other  aircraft. 


I 


& 


2 .  INTRODUCTION 

2. 

2.1  GENERAL  BACKGROUND 

Current  hovering  aircraft  capabilities  demand  considerable 
visual  contact  flight  before  final  landing,  with  the  pilot 
providing  most  of  the  attitude-stabilizing,  position-fixing, 
height-controlling  and  deck  motion  compensating  functions. 
Pilot  workload,  even  in  clear  weather  operations,  is 
excessive.  This  places  additional  demands  of  considerable 
magnitude  upon  the  pilot  and  the  flight  control  capabilities 
of  the  hovering  vehicle.  The  development  of  an  advanced, 
precise,  and  highly  reliable  flight  control/guidance  system 
concept  to  meet  operational  goals  is  a  prime  requirement.  The 
manual  and  automatic  modes  of  the  flight  control  system  must 
have  sufficient  authority  to  perform  their  required  functions 
during  the  critical  vertical  take-off  and  landing  operations. 
This  implies  that  the  conflict  between  automatic  control 
authority  and  flight  safety  must  be  resolved  by  incorporating 
fail-safe  and  fault-tolerant  features  in  the  Flight  Control 
System  (FCS). 

An  SH-2F  helicopter  was  chosen  as  the  study  vehicle  for  the 
integration  and  evaluation  of  the  4-vlave  concept.  The  an¬ 
ticipated  FCS  requirements  will  consist  of  a  single  fail- 

*  operational  capability.  The  AFCS  is  anticipated  to  be  a  high 
(50  percent)  authority  system.  During  landings  on  small 
ships,  all  ship  kinematics,  aircraft  range,  and  range  rate 
information  will  be  transmitted  to  the  helicopter  via  the 
Landing  Guidance  Sensor  (LGS)  data  link.  All  computations  of 
the  flight  control  laws  required  for  execution  of  the  landing 

1  task  will  be  performed  by  the  flight  control  computers. 

The  actuation  system  is  recognized  as  a  critical  technology  in 
the  development  of  a  research  flight  test  vehicle.  It  is  for 
a  dual  fail-operate  requirement  that  the  4-valve  actuation 
system  has  been  evaluated. 

2.2  SUMMARY  DESCRIPTION  OF  THE  4-VALVE  ACTUATION  SYSTEM 

A  summary  description  of  the  4-valve  actuation  concept  has 
been  included  in  this  section  to  facilitate  the  presentation 
of  the  material  in  the  other  sections.  A  more  detailed  de- 

*  scription  of  the  concept  is  provided  in  Appendix  A. 
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The  4-valve  actuation  system  uses  four  active  electrical  con¬ 
trol  paths  to  control  a  dualized  hydraulic  actuator.  A  simple 
failure  management  unit  operates  in  conjunction  with  some  of 
the  inherent  features  of  the  basic  system  to  provide  an  FTL  for 
the  control  paths  of  dual  fail-operate.  This  actuation  system 
is  characterized  by  fundamental  simplicity  and  its  inherent 
ability  to  tolerate  failures;  it  is  in  essence  a  forgiving- 
type  system. 

The  electrical  control  paths  can  be  analog  or  digital  and  use 
electrohydraulic  servovalves  (EHSV)  for  a  direct  interface 
with  the  two  links  (2  per  piston),  four  electronic  drivers, 
four  quasi-isolated  failure/management  units,  and  a  dual 
primary  hydraulic  actuator  (tandem  or  parallel).  In  a  flight 
test  model,  all  control  channels  would  be  operated  with  a 
control/reporting  panel  located  in  the  cockpit. 

This  system  offers  the  following  features: 

•  Single  fail-operate  is  inherent  (without  failure  manage¬ 
ment  ) . 

•  Dual  fail-operate  provided  by  adding  a  simple  failure/ 
management  system. 

•  Electrohydraulic  servovalves  provide  a  direct  interface 
between  the  electrical  links  and  the  power  cylinder  (no 
drive  actuation  function  required). 

•  Provides  automatic  tracking  of  the  multiple  electrical 
control  links. 

•  Includes  unique  feature  for  protection  against  intermit¬ 

tent  type  inputs  (e.g.,  electrical  transients)  that  could 
effect  an  unwarranted  disengagement.  ,  ‘ 

•  Can  be  easily  retrofitted  using  existing  power  cylinder 
installation. 

•  Has  application  to  high-performance  airplane  controls  as 
well  as  helicopter  controls. 

A  simplified  schematic  of  a  tandem  dual  actuator  and  the  driv¬ 
ing  circuit  is  shown  in  Figure  1.  All  electrical  control 
paths  operate  simultaneously  and  are  automatically  tracked  to 
provide  the  desired  stiffness  at  null.  The  tracking  signals 
are  inherently  generated  in  the  failure  sensing  circuitry  in 
the  failure/management  system. 
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Figure  1.  4 -Valve  Actuation  Concept. 


The  failure/management  system  uses  position  sensors  on  the 
porting  stage  of  the  EHSV  (see  Figure  1)  to  provide  the  intel¬ 
ligence  needed  for  the  failure  logic.  The  failure  circuitry 
uses  a  simple  logic  for  failure  detection  and  has  the  intelli¬ 
gence  to  differentiate  between  an  inert- type  failure  and  a 
hard- type  failure.  Protection  against  an  unwarranted  disen¬ 
gagement  of  a  control  path  (i.e.,  apparent  intermittent 
failure)  has  been  included  for  protection  against  induced 
transients . 

Figure  2  is  a  photograph  of  the  laboratory  test  model  of  the 
4-valve  actuation  system  configured  for  dual  fail-operate  ap¬ 
plication.  As  described  later,  this  hardware  was  used  in  the 
program  to  simulate  the  series-type  AFCS  fault-tolerant  actua¬ 
tor. 
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3 .  WORK  PERFORMED 


The  objective  of  the  work  items  described  in  this  section  was 
to  confirm  the  validity  of  the  4-valve  actuation  system  as  a 
viable  control  system  for  a  research  test  helicopter.  These 
tasks  are  discussed  in  terms  of  what  was  accomplished,  how, 
and  the  final  results. 

3.1  PRELIMINARY  DESIGN  OF  A  4-AXIS  ACTUATOR  SYSTEM 

The  4-axis  actuation  system  has  been  designed  in  accordance 
with  the  requirements  for  a  potential  test  helicopter.  It 
consists  of  four  single  primary  actuators;  four  dual,  fault- 
tolerant  AFCS  actuators;  four  electronic  units  that  provide 
the  electrical  mixing  and  drive  signal  for  the  AFCS  actuators 
and  the  redundancy  management;  and  a  control/annunciator 
panel.  This  equipment  can  be  synthesized  into  a  system  by 
referring  to  Figure  3,  a  schematic  of  one  control  path  of  a 
control  channel.  As  shown,  the  AFCS  actuator  mechanically 
sums  with  the  pilot's  mechanical  controls  to  effect  a  series- 
type  control  input  to  the  primary  actuator.  The  AFCS  actuator 
is  controlled  by  the  electronic  unit  which  is  interfaced  with, 
and  hence  controlled  by,  a  triplex  AFCS  computer  system. 

Hence,  the  primary  actuator  can  be  driven  by  the  pilot,  the 
AFCS,  or  a  combination  of  both. 

The  system  has  been  designed  to  provide  an  AFCS  with  an  FTL  of 
dual  fail-operate  up  through  the  EHSVs  that  port  fluid  into 
the  dual  cylinders  of  the  AFCS  actuators.  The  electrical  and 
hydraulic  power  supplies  are  single  fail-operate.  For  a  dual 
electrical  or  hydraulic  failure,  the  AFCS  actuator  will  be 
automatically  centered  at  a  controlled  rate;  the  actuation 
system  will  then  revert  to  full  manual  control. 

The  control/annunciator  panel  was  not  designed  only  to  consist 
of  electrical  and  hydraulic  power  switches,  automatic 
preflight  test  switches,  and  condition  indicators  (e.g.,  soft 
fail,  hard  fail,  and  disengage).  A  more  detailed  design  of  the 
total  system  should  be  accomplished  before  the  central/annun¬ 
ciator  panel  design  can  be  finalized.  The  other  major  com¬ 
ponents  are  summarized  below. 

3.1.1  Triplex/Quadruplex  Interface  Unit 

As  shown  in  Figure  3,  this  unit  transposes  the  triplex  AFCS 
signals  into  guadruplex  signals  for  compatibility  with  the 
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quadruplex  AFCS  actuation  system.  Figure  4  is  a  simplified 
schematic  of  the  Triplex/Quadruplex  Interface  Unit  (T/QIU).  A 
cross-strap  approach  was  considered  for  the  interface  function 
but  was  voted  out  in  preference  of  the  scheme  shown  in  Figure 
4  that  has  some  failure  mode  advantages. 

The  selected  approach  developed  a  "dummy*'  control  path  by  sum¬ 
ming  the  three  AFCS  signals  into  a  high  impedance  amplifier 
through  FET  switches  that  are  operated  by  the  quadruplex  failure/ 
management  system.  This  implementation  provides  a  dual  fail- 
operate  capability  to  the  AFCS  inputs.  For  example,  if  triplex 
signal  A3  fails,  failure/management  unit  2b  will  open  the  re¬ 
spective  FET  switch  $^2  and  after  the  prescribed  time  delay, 

will  disengage  control  path  2b.  A  second  AFCS  failure  would 
operate  in  a  similar  manner  and  leave  the  remaining  AFCS  con¬ 
trol  path  and  the  dummy  path  driving  the  AFCS  actuator.  If 
the  first  or  second  failure  had  been  the  dummy  control  path, 
control  path  la  would  have  disengaged  leaving  the  other  paths 
driving  the  AFCS  actuator. 

This  circuit  approach  is  simple  and  appears  to  be  compara¬ 
tively  less  vulnerable  to  failures. 

3.1.2  Electronic  Unit 

The  major  components  in  the  unit  are  the  failure/management 
unit  and  the  drive  circuitry.  In  addition  to  the  basic  mix¬ 
ing  of  the  input  signals  to  the  drive  amplifier,  the  electronic 
unit  has  two  EHSV  loops:  the  direct  feedback  loop  and  the  auto¬ 
tracking  loop.  The  direct  feedback  loop  is  to  improve  the 
linearity  of  the  EHSV,  i.e.,  minimize  the  variation  from  unit 
to  unit.  The  autotracking  loop  uses  a  signal  that  is  in¬ 
herently  developed  in  the  failure/management  error  sensing 
circuitry  and  is  used  to  track  the  control  paths.  The  lag 
network  is  used  to  effect  a  track  only  in  the  low-frequency 
spectrum,  e.g.,  below  60  radians  per  second.  The  lead-lag  net¬ 
work  was  included  to  maintain  loop  stability.  A  detailed  de¬ 
sign  of  the  circuitry  for  the  electronic  unit  is  shown  in 
Figure  5.  This  design  is  a  step  toward  developing  a  flight 
test  model  of  the  actuation  system. 

3.1.3  Actuator  Assembly 

The  actuator  assembly  in  each  control  channel  consists  of  a 
primary  actuator,  an  AFCS  actuator,  and  hydraulic  switching 
valves.  A  simplified  version  of  the  arrangement  is  shown  in 
Figure  3.  Figure  6  is  a  schematic  of  the  hydraulic  system. 

As  shown,  it  uses  two  pump  units  in  conjunction  with  switching 
valves  to  provide  the  primary  actuator  with  an  FTL  of  single 
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Figure  4.  Triplex/quadruplex  interface  unit. 
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Figure  5.  Detail  circuit  schematic  of  electronic  unit. 
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fail-operate.  An  FTL  of  single  fail-operate  is  provided  to 
the  dual  AFCS  actuator  by  connecting  each  half  to  a  separate 
pump. 

A  detailed  schematic  of  the  basic  actuator  assembly  is  shown 
in  Figure  7.  It  consists  of  four  EHSVs,  four  isolation 
valves,  two  bypass  valves,  dual  AFCS  cylinders,  centering  and 
locking  mechanisms,  switch  valve,  mechanical  linkages,  and  the 
primary  actuator  that  includes  a  mechanical  control  valve  and 
a  bypass  valve.  The  mixing  linkages  are  representative  of  how 
the  pilot's  input  is  mixed  with  the  AFCS  actuator  to  effect  a 
series-type  summation. 

3.2  CONSTRUCTION  OF  A  LABORATORY  MODEL  OF  THE  ACTUATION 
SYSTEM  FOR  ONE  CONTROL  CHANNEL 

Figure  8  is  a  schematic  of  the  laboratory  test  model  of  the 
fault-tolerant  actuation  system.  Reference  should  also  be 
made  to  Figure  2,  which  is  a  photograph  of  the  laboratory 
model.  The  system  was  designed  using  existing  equipment  where 
possible.  Hence,  it  is  essentially  the  same  functionally  as 
the  preliminary  design  but  not  physically  the  same.  These 
functional  differences  are  listed  below. 

•  Triplex  AFCS  signals  were  simulated. 

•  Existing  control  panels  were  used  and  do  not  have  an 
automatic  preflight  function. 

•  One  hydraulic  supply  and  valving  were  used  to  simulate 
dual  supplies. 

•  One  electrical  supply  and  switches  were  used  to  simulate 
dual  electrical  supplies. 

The  remainder  of  the  system  is  functionally  the  same. 

3.3  DESIGN  OF  EQUIPMENT  AND  PREPARATION  OF  FAILURE  TEST 
PLAN 


The  test  system  consists  of  a  primary/AFCS  actuator  assembly; 
load  actuator  and  associated  control  circuit;  electronic  con¬ 
trol/failure  management  circuitry  for  the  AFCS  (4-valve) 
actuator;  and  a  failure  simulation  panel.  These  equipments 
were  designed  for  installation  on  a  laboratory  test  stand 
equipped  with  hydraulic  and  electrical  supplies  that  were  con¬ 
figured  to  simulate  dual  supplies.  As  shown  in  Figure  8, 
either  hydraulic  supply  will  operate  the  primary  actuator 
through  a  pressure-operated  selector  valve.  Hydraulic  supply 
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Figure  8.  System  schematic  of  laboratory  test  model 
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No.  1  and  Electrical  Supply  No.  1  provide  power  for  Control 
Paths  la  and  lb  while  the  No.  2  supplies  provide  power  for 
Control  Paths  2a  and  2b.  Figure  2  is  a  photograph  of  the 
equipment  and  the  test  stand. 

3.3.1  Primary/AFCS  Actuator  Assembl 


The  AFCS  (4-valve)  actuator  was  interfaced  with  the  primary 
actuator  (see  Figure  9)  to  effect  a  differential  mixing  with 
the  pilot’s  input.  Hence,  the  output  of  the  primary  actuator 
is  a  summation  of  the  pilot's  control  input  and  the  AFCS  in¬ 
put.  Some  friction  in  the  pilot's  control  was  used  to  prevent 
motion  of  the  actuator  from  being  felt  in  the  pilot’s  controls 
that  could  have  occurred  because  of  the  short  linkage 
arrangement . 

The  AFCS  actuator  has  a  displacement  authority  of  about  ±50 
percent  of  the  total  displacement  of  the  primary  actuator. 

Hard  stops  were  located  on  the  output  of  the  primary  actuator 
to  prevent  overtravel  of  the  control  system.  The  spring  cen¬ 
tering  device  was  logically  interfaced  with  the  AFCS  actua¬ 
tion  system  so  that  it  would  center  and  lock  in  the  absence  of 
hydraulic  pressure  or  electrical  power  on  at  least  one  sole¬ 
noid  valve. 

The  primary/AFCS  actuator  assembly  was  designed  using  existing 
hardware.  The  stroke  of  the  AFCS  actuator  was  limited  to 
about  0.6  inch  to  allow  an  existing  spring  centering  device  to 
be  used  to  center  and  mechanically  lock  the  AFCS  actuator  when 
it  is  disengaged  or  in  the  event  of  total  loss  of  electrical 
or  hydraulic  power.  This  configuration  satisfies  the 
functional  requirements  as  planned.  To  evaluate  it  in  the 
proper  perspective,  however,  thresholds,  failure  effects, 
etc.,  have  been  evaluated  in  terms  of  percent  of  full  stroke 
capability  since  the  EHSV  flow  gains  and  associated  loop  gains 
were  designed  for  compatibility  with  the  actuator  size  and 
flow  requirements.  Also,  the  pilot’s  mechanical  input  to 
actuator  output  gain  was  mechanized  so  that  full  pilot  stroke 
produced  about  1.2  inches  of  actuator  stroke;  this  ratio  needs 
to  be  considered  when  qualitatively  appraising  the  "feel”  of 
the  mechanical  controls. 

3.3.2  Load  Actuator  and  Control  Circuitr 

The  load  actuator  can  be  identified  in  Figure  9  as  the  actu¬ 
ator  connected  to  the  end  of  the  pivoted  beam.  As  shown,  it 
was  connected  in  parallel  with  the  primary  actuator  so  that  it 
can  be  used  for  simulating  reactionary  loads  from  the  output 
control  elements  e.g.,  the  swashplate.  The  load  actuator 


Figure  9.  Plan  layout  of  the  actuator/control  assembly. 
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was  controlled  by  the  control  circuitry,  which  can  be  identi¬ 
fied  in  Figure  2  as  the  small  circuit  board  on  the  lower 
I  right.  The  circuitry  was  connected  to  the  actuator  to  effect 

a  closed  loop.  A  gain  potentiometer  was  used  to  provide  a 
means  for  controlling  the  magnitude  of  the  load.  This 
actuator  and  circuitry  existed  and  was  used  without  any  mod¬ 
ifications  . 

2.3.3  Electronic  Control  and  Failure  Management  Circuitry 

Figure  10  is  a  schematic  of  the  failure  management  and  elec¬ 
tronic  control  circuitry  as  well  as  the  test  circuitry  for 
simulating  failures.  This  circuitry  is  also  shown  in  Figure 
2.  Each  of  the  squares  on  the  large  circuit  board  and  the  as¬ 
sociated  drive  signal  constitutes  a  control  path  from  the 
T/QIU.  The  T/QIU  is  located  on  the  lower  portion  of  the 
circuit  board,  which  is  immediately  to  the  right  of  the  large 
board  in  the  photo,  and  also  schematically  shown  in  Figure  10. 
AFCS  inputs  were  simulated  manually  with  the  lightweight 
control  stick  shown  in  Figure  2,  and  schematically  shown  in 
Figure  10,  as  the  three  potentiometers  that  provide  a  driving 
signal  for  the  T/QIU.  A  "sine  wave"  electrical  signal  was 
also  provided  as  an  alternate  means  of  driving  the  T/QIU.  A 
technical  discussion  of  this  unit  is  included  in  Appendix  A. 

3.3.4  Failure  Simulation  Panel 

The  Failure  Simulation  Panel  is  located  immediately  above  the 
T/QIU  circuitry  (see  Figure  2)  and  is  schematically  shown  in 
Figure  10  for  Control  Path  la.  The  switching  circuitry  pro¬ 
vides  the  capability  of  simulating  the  following  failure  modes 
for  each  control  path. 

•  Transient  input  (pulse) 

•  Hard  control  path  failure 

•  Hard  and  open  failure  in  two  triplex  links  (A1  and  A2) 

•  Open  EHSV  coil 

•  Inert  failure 

3.3.5  Test  Plan 

An  operational  and  failure  mode  test  plan  was  prepared  to  pro¬ 
vide  a  means  of  evaluating  the  operational  and  failure  protec¬ 
tion  characteristics  of  the  4-valve  actuation  system  and, 
hence,  to  determine  the  validity  of  the  system  for  use  as  an 
AFCS  actuation  in  a  research  test  helicopter.  This  document 
is  provided  as  a  section  in  the  appendices. 
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3.4  FABRICATION  PROGRAM 


Most  of  the  equipment  for  this  program  has  been  used  pre¬ 
viously  in  a  Bell  IR&D  FBW  program  and  only  minor  modifica¬ 
tions  were  required.  The  most  significant  changes  were 
associated  with  the  configuration  and  interconnection  of  the 
actuators.  The  fabrication  of  these  changes  and  others  are 
discussed  below. 

3.4.1  Test  Stand 

The  test  stand  depicted  in  Figure  11  existed  and  was  provided 
by  Bell.  It  was  modified  as  required  to  accommodate  the  ac¬ 
tuator/control  assembly  installation.  As  shown,  the  cyclic 
control  stick  and  control  tubes  were  added  to  provide  the 
mechanical  pilot  input. 

3.4.2  Actuator  Assembly 

The  actuator  assembly  consists  of  a  single  piston  primary 
actuator,  4-valve  fault- tolerant  actuator,  centering  actua¬ 
tion  unit,  and  load  actuator.  All  of  these  actuators  existed 
and  were  used  without  modifications  with  the  exception  of  the 
centering  actuation  unit.  This  unit  was  a  modified  AH-1G 
Cobra  SCAS  actuator.  Bell  provided  the  load  and  4-valve 
actuators  and  Hydraulic  Research  Textron  provided  the  primary, 
single-piston  actuator,  and  the  modified  SCAS  actuator.  The 
actuators  were  fabricated  into  the  configuration  shown  in 
Figure  9. 

3.4.3  Electronic  Circuitry 

Some  additional  electronic  circuitry  was  fabricated  for  use 
with  existing  circuit  hardware.  Figure  12  is  a  photograph 
of  the  existing  circuit.  Figure  11  shows  this  circuitry 
plus  the  added  circuitry,  which  is  the  board  on  the  right  with 
the  switches  at  the  top.  The  T/QIU  circuitry  and  failure 
simulation  circuitry  are  fabricated  on  this  board.  The  small 
circuit  board,  separate  and  on  the  right,  is  the  electronic 
drive  circuitry  for  the  load  actuator.  It  existed  and  was 
used  without  modifications. 

3.4.4  Electrical/Hydraulic  Power  Supplies 

Electrical  and  hydraulic  switches  were  used  in  conjunction 
with  laboratory  power  supplies  to  simulate  redundant  supplies. 
No  fabrication  was  required. 


MECHANICAL 

INPUT 


Figure  11.  Laboratory  test  hardware. 


Figure  12.  Electronic  test  circuitry. 


3.5  TEST  AND  DEMONSTRATION  PROGRAM 


The  test  plan  was  prepared  as  a  contracted  item  and  has  been 
included  as  such  in  the  appendices.  The  test  instructions 
from  this  plan  have  been  integrated  into  this  section  and 
presented  along  with  the  associated  results  of  each  test. 
Figures  8  and  10  can  be  used,  if  necessary,  to  supplement  the 
following  stated  tests  and  results.  The  tests  were  conducted 
in  accordance  with  the  test  plan  with  some  noted  minor 
variations. 

Scope 

The  objective  of  the  Integrated  Test  Program  was  to  provide  a 
means  of  appraising  the  4-valve  actuation  system  as  a  candidate 
actuation  concept  for  use  in  the  control  system  of  a  potential 
test  vehicle.  It  allows  the  actuation  concept  to  be  evaluated 
in  terms  of  operational  suitability  and  its  ability  to  tolerate 
failures . 

The  following  sections  describe  the  test  procedures  and 
results. 

3.5.1  Functional  Test 


3. 5. 1.1  Primary/Load  Actuator  Configuration 

Hydraulics  OFF.  With  adjustable  friction  set  for  a  minimum, 
move  pilot’s  control  from  stop  to  stop  and  check  for  freedom  • 
of  motion  and  interferences. 

Results .  System  moved  freely  with  no  interferences. 

Hydraulics  ON.  Move  pilot's  controls  from  stop  to  stop  and 
qualitatively  check  for  operational  suitability;  note  dead 
spots,  thresholds,  breakout  forces,  etc.  Turn  off  Supply 
No.  1;  Supply  No.  2  should  automatically  take  over.  Apply 
pressure  to  load  actuator  and  with  an  appreciable  amount  of 
load,  move  primary  actuator  from  stop  to  stop  to  assure 
proper  operation. 

Results .  Primary  actuator  operated  in  a  normal  manner. 

Motion  was  smooth  with  no  appreciable  dead  spot.  Loss  of 
hydraulic  Supply  No.  1  resulted  in  automatic  transfer  of 
primary  actuator  to  Supply  No.  2,  as  was  expected. 

3.5.2  Fault-Tolerant  AFCS  Actuation  System  Alignment 

The  basic  electronic  circuitry  was  used  on  a  previous  pro¬ 
gram  and,  hence,  it  was  assumed  that  all  the  closed  loops 
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were  stable.  The  control  paths,  however,  were  realigned  to 
assure  proper  operation.  Each  control  path  was  aligned  and 
t  tested  separately  under  the  conditions  stated  below.  Refer¬ 

ence  should  be  made  to  Figure  10  for  supplemental  information. 
It  is  pointed  out  that  the  operational  amplifiers  are  operated 
at  +28  VDC  to  ground  with  +14  VDC  used  as  common. 

3. 5. 2.1  Alignment  and  Test  of  Control  Paths 

t 

Control  Path  la 

Conditions:  •  Hydraulic  power  on 

Electrical  power  on 

•  All  solenoid  valves  disconnected 

•  EHSV  coil  shorted  across 

•  TP5  shorted  to  +14  VDC 

•  Control  path  la  engaged 

EHSV  Tracking  Loop 

The  purpose  of  the  loop  is  to  maintain  EHSV  track  with  the 
other  EHSVs . 

•  Adjust  "Pot  1"  to  null  "TPl"  (reference  +14  VDC).  This 
operation  assumes  the  mechanical  null  of  the  EHSV  is 
correct  and  aligns  the  tracking  loop  accordingly.  The 
mechanical  null  is  accurate  to  ±2  percent,  which  is  con¬ 
sidered  an  adequate  reference  since  the  second  stage 

of  the  EHSV  has  an  overlap  of  ±10  percent. 

Results .  Nulled  tracking  loop. 

EHSV  Feedback  Loop 

Conditions :  Same  as  above. 

The  purpose  of  this  loop  is  to  improve  the  linearity  of  the 
EHSVs  and  to  help  maintain  the  null  alignment.  This  operation 
I  also  assumes  the  mechanical  null  of  the  EHSV  is  correct  and 

aligns  the  linearity  loop  accordingly. 

•  Adjust  "Pot  2"  to  null  "TP2"  (referenced  to  +14  VDC). 
Results .  Nulled  feedback  loop. 

V* 

These  instructions  were  followed  for  all  four  paths  with 
satisfactory  results.  When  all  channels  had  been  aligned 
and  the  system  returned  to  normal  operation  (all  channels 
engaged),  outputs  from  some  of  the  tracking  loops  were  higher 
than  expected.  With  additional  investigation,  an  alternate 
I 


» 


43 


► 

[ 

» 


I 


» 


i 


t 


t 


I 


( 


alignment  procedure  was  developed  with  improved  results.  The 
alternate  method  consisted  of  the  following  procedure. 

•  All  solenoid  valves  disconnected 

•  All  EHSV  coils  shorted  across 

•  All  inputs  to  tracking  loops  shorted  to  +14  VDC 

•  All  channels  engaged 

•  Electrical  and  hydraulic  power  on 

•  All  actuator  position  FB  signals  aligned  (within  3 
mv) 

•  All  control  signals  aligned  (within  11  mv) 

New  Results.  All  TPls  were  nulled  with  their  associated  "Pot 
1 . "  All  "TP2s"  were  nulled  with  their  associated  "Pot  2." 
With  all  shorts  removed,  all  solenoids  connected,  and  all 
control  paths  engaged,  the  tracking  loops  maintained  outputs 
very  near  their  nulled  output  (2  mv  maximum). 


Frequency  Response  Test 

Conditions:  *  Hydraulic  power  on  (1300  psi ) 

•  Electrical  power  on 

•  Solenoid  valves  disconnected 

•  Shorts  across  EHSVs  removed 

•  Control  paths  engaged 

•  Open  SW4  and  connect  a  frequency  source 
across  the  normally  closed  contact  to 
effect  a  series  input 

•  Short  on  TP  5  removed 

•  Adjust  AFCS  input  to  effect  a  null  at  TP5. 

•  Conduct  frequency  response  of  the  control  path  and  EHSV 
using  the  LVDT  as  the  output  element. 


Results .  The  input  signal  was  adjusted  to  drive  the  LVDT 
approximately  25  percent  of  maximum. 
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Control  paths  dynamically  tracked  well,  and  demonstrated  a  flat 
response  to  50  Hz,  and  were  down  6dB  at  approximately  140  Hz. 

3. 5. 2. 2  Alignment  of  Electrical  Mechanical  Transducers 

Actuator  Feedback  Transducers 


Conditions:  •  Hydraulic  power  on 

•  Electrical  power  on 

•  Solenoid  valves  connected 

•  Control  paths  engaged 

•  Use  AFCS  simulation  controller  and  position  4-valve 
actuator  in  increments  and  determine  sensitivity  in  terms 
of  volts  per  inch  of  actuator  travel. 

Results.  3.32  volts  of  AFCS  signal  produced  one  inch  of 
actuator  travel.  Ratio  of  the  AFCS  signal  to  feedback  signal 
is  one. 

•  Use  controller  and  drive  4-valve  actuator  in  increments 
and  measure  track  error  from  stop  to  stop. 

Results .  The  maximum  tracking  error  was  0.201  volt.  This 
measurement  was  made  at  TP1,  which  is  the  output  of  an  ampli¬ 
fier  with  a  stage  gain  of  ten.  This  amounts  to  about  1.5 
percent  of  valve  displacement  and  0.06  percent  of  total  pilot 
control  authority. 

•  Trim  feedback  transducers  using  la  as  reference. 

Results .  The  basic  transducers  are  dual  element  potentio¬ 
meters  with  0.5-percent  linearity.  The  end  points  did  not  me¬ 
chanically  coincide.  To  improve  tracking,  a  trimpot  was  added 
to  each  pair  of  elements.  All  feedback  transducers  were 
adjusted  for  zero  difference  at  the  center  position.  This 
adjustment  resulted  in  a  maximum  deviation  of  40  mv  over  the 
total  travel. 

AFCS  Simulation  Control  Transducers 


Conditions:  Same  as  above. 

•  Use  same  procedure  as  above  on  triplex  controller  for 
control  paths  Al,  A2,  and  A3. 

Results .  The  triplex  simulated  input  utilizes  the  same  type 
potentiometer  as  the  feedback  transducers.  Alignment  was 
accomplished  by  the  same  procedure  used  for  the  feedback 
transducer  with  equal  results. 
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If  necessary,  trim  the  gain  of  summing  amplifier  in 
interface  unit  to  make  control  path  la  track  with  other  3 
paths . 

Results .  Control  path  la  is  derived  by  summing  signal  outputs 
from  Al,  A2 ,  and  A3.  No  trimming  was  required. 


3. 5. 2. 3  Auto  Tracking  Loop  Test 


Conditions : 


Hydraulic  power  on 
Electrical  power  on 
All  solenoid  valves  disconnected 
All  control  paths  disengaged 


•  Short  TP 5  to  +14  VDC  in  all  control  paths  to  isolate  the 
control  input.  Engage  control  path  2a,  then  the  other 
paths,  one  at  a  time.  Use  pulse  key  on  Failure  Simula¬ 
tion  Panel  and  apply  pulse  to  control  path  2a.  Quali¬ 
tatively  observe  the  output  of  LVDT  on  an  oscilloscope 
and  note  characteristics. 


Results .  Test  indicated  tracking  loops  were  well  damped. 

•  Disengage  control  path  2a,  remove  short  from  TP5  in  all 
control  paths.  Connect  path  2a  solenoid.  Engage  control 
path  2a,  4-valve  AFCS  actuator  will  track  simulated  AFCS 
input.  Drive  AFCS  actuator  from  stop  to  stop  and  examine 
for  interferences  over  the  complete  range  of  the  pilot's 
mechanical  input.  The  friction  unit  on  the  pilot's 
controls  will  probably  have  to  carry  some  friction  be¬ 
cause  of  the  short  link  arrangements. 

Results .  Very  little  friction  is  necessary  and  no  interfer¬ 
ence  noted. 


•  Repeat  with  some  load  applied  by  the  load  actuator. 

Apply  step  input  to  AFCS  actuator  and  observe  stability 
characteristics  with  oscilloscope. 

Results.  Actuator  loop  was  well  damped. 

•  Engage  all  control  paths  and  drive  the  AFCS  actuator  in 
increments  over  full  travel  and  check  tracking  of  each 
control  path  at  TP6 .  This  is  the  signal  that  is  used 
through  the  limiting  diodes  at  TPl  for  autotracking  as 
well  as  for  a  signal  to  the  failure  management  circuitry. 

Results .  Data  for  automatic  tracking  are  shown  in  Table  1. 

Maximum  tracking  error  was  0.32  percent  in  terms  of  actuator 

travel . 
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TABLE  1.  CONTROL  PATH  TRACKING  DATA 
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The  composite  test  is  a  quick  check  to  assure  that  simul¬ 
taneous  operation  of  the  primary  actuator  and  AFCS  actuator 
does  not  create  any  mechanical  interferences  or  objectionable 
"feel"  in  the  pilot's  controls. 

Conditions:  •  Electrical  power  on 

•  Hydraulic  power  on 

•  4  control  paths  engaged 

•  Simultaneously  apply  a  varying  input  to  the  AFCS  actuator 
while  the  primary  actuator  is  being  driven  throughout  its 
displacement  range. 

Results .  No  mechanical  interferences. 

If  any  mechanical  interferences  or  objectionable  pilot  "feel" 
characteristics  are  present,  they  should  be  cleared  before  pro¬ 
ceeding  to  the  Operational  Suitability  Test.  It  is  pointed 
out  that  the  pilot  will  feel  the  motions  of  the  AFCS  actuator 
when  the  sum  of  the  AFCS  actuator  and  his  input  exceeds  the 
downstream  stops.  This  should  be  recognized  as  a  normal  cue 
that  the  controls  are  against  the  stops. 


3.5.4  Operational  Suitability  Test 

This  test  is  similar  to  the  above  functional  composite  test 
with  the  exception  that  the  operating  conditions  will  be 
varied  and  some  parameters  will  be  measured  and  recorded. 

The  purpose  of  this  test  is  to  provide  information  pertinent 
to  the  judging  of  the  operational  suitability  of  the  4-valve 
actuation  concept. 

3. 5. 4.1  Characteristics  Under  Normal  Conditions 

Conditions :  •  Electrical  power  on 

•  Hydraulic  power  on 

•  4  control  paths  engaged 

•  Load  actuator  adjusted  for  typical  static 

load 

•  Measure  displacement  threshold  of  pilot  controls  in  terms 
of  inches  at  top  of  stick.  This  will  actually  show  up  as 
a  "dead  spot"  in  the  controls.  For  this  to  be  meaningful, 
the  measurement  should  be  corrected  to  reflect  the  dif¬ 
ference  in  the  short  linkage  control  ratio  and  control 
ratio  in  the  test  helicopter. 
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Results .  The  corrected  threshold  was  ±0.09  inch. 

I  •  Measure  the  AFCS  input  threshold  in  volts  required  from 

the  simulated  inputs  to  effect  a  displacement  of  the  4- 
valve  actuator.  As  in  the  above  case,  this  measurement 
should  be  corrected  to  read  in  terms  of  percent  of  the 
actual  capable  travel  of  the  4-valve  actuator. 

t  Results .  The  AFCS  actuator  displacement  is  mechanized  to 

operate  the  primary  actuator  valve.  Unless  loads  on  the 
primary  actuator  exceed  its  capability,  the  AFCS  actuator 
is  essentially  unloaded  at  all  times.  Under  the  above-stated 
conditions,  ±4  mv  of  input  signal  was  adequate  to  move  the 
4-valve  actuator.  This  test  was  performed  by  observing 
.  the  feedback  voltage  and  moving  the  control  motion  transducer 

until  a  noticeable  change  was  produced  in  the  feedback  volt¬ 
age.  The  4-valve  actuator  has  a  total  travel  of  4.0  inches 
but  was  restricted  to  0.50  inch.  This  scaling  was  necessary 
due  to  the  actuator-centering  mechanism.  In  terms  of  limited 
actuator  travel,  the  deadband  represented  0.24  percent  of  0.50 
inch;  in  terms  of  total  actuator  travel,  the  deadband  rep¬ 
resented  0.03  percent. 

•  Qualitatively  evaluate  pilot  and  AFCS  characteristics 
while  both  are  operating  simultaneously.  Observe  objec¬ 
tionable  "dead  spot"  effects  that  may  occur  when  the 
f  direction  of  the  AFCS  actuator  is  reversed. 

Results.  There  were  no  apparent  dead  spots  in  the  pilot's 
controls . 

3. 5. 4. 2  Characteristics  Under  Single  Failure  Conditions 

I 

Conditions:  •  Same  as  3. 5. 4.1  except  with  control 

•  Path  la  disengaged. 

Procedure:  Same  as  3. 5. 4.1. 

Results .  Hydraulic  flow  gain  and,  hence,  the  bandwidth  was 
reduced  to  some  degree  in  the  4-valve  actuator;  however,  there 
was  no  apparent  change  in  the  pilot's  controls.  Force  gain 
remained  the  same. 

3. 5. 4. 3  Characteristics  Under  Dual  Failure  Conditions 

Two  Companion  Control  Paths  (shares  same  piston) 

Conditions :  Same  as  3. 5. 4.1  except  with  control  Paths 

la  and  lb  disengaged. 

Procedure:  Same  as  3. 5. 4.1. 
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Results.  Flow  gain  remained  unchanged  but  force  gain  was  re¬ 
duced  by  0.5.  No  apparent  change  in  pilot's  control,  however. 

Two  Control  Paths  not  Sharing  Same  Piston 

Conditions:  Same  as  3. 5. 4.1  except  with  control  paths 

la  and  2a  disengaged. 

Procedure:  Same  as  3. 5. 4.1. 

Results .  Flow  gain  reduced  by  0.5,  but  force  gain  remained 
the  same.  No  apparent  change  in  pilot's  control. 

One  Control  Path  And  Associated  Failure  Management  Circuit 

Conditions:  Same  as  3. 5. 4.1  except  with  control  path 

la  failed  "hard"  and  failure  management 
circuit  la  inoperative. 

Procedure:  Same  as  3. 5. 4.1. 

Results .  The  system  was  stable.  Control  path  la  EHSV  was 
completely  open,  which  resulted  in  an  increased  deadband  of 
±20  mv  and  a  static  displacement  of  0.04  inch. 

3. 5. 4. 4  Characteristics  Under  Failure  of  One  Electrical 
SUPP1? 

Conditions:  Same  as  3. 5. 4.1  except  electrical  supply 

to  control  paths  la  and  lb  off. 

Procedure:  Same  as  3. 5. 4.1. 

Results .  Control  paths  la  and  lb  were  automatically  dis¬ 
engaged.  Operation  was  same  and  with  same  results  as  for 
failure  of  two  companion  control  paths  when  la  and  lb  channels 
were  disengaged.  The  deadband  was  ±2  mv. 

3. 5. 4. 5  Characteristics  under  Complete  Failure  of  Electrical 
and  Hydraulic  Power 

Conditions:  Same  as  3. 5. 4.1  except  all  electrical  and 

hydraulic  power  supply  turned  off. 

Procedure:  Same  as  3. 5. 4.1  except  no  test  required  on 

AFCS. 

Results .  AFCS  actuator  automatically  centered.  No  restric- 
tions  in  mechanical  or  hydraulic  system  were  experienced  other 
than  normal  friction  load. 
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3.5.5  Failure  Modes  and  Effect  Test 

The  tests  in  this  section  cover  the  basic  type  of  failures 
that  can  occur.  The  intent  was  to  validate  the  4-valve  actua¬ 
tion  concept  as  a  viable  fault- tolerant  actuation  system.  The 
AFCS  control  paths,  up  to  and  including  the  EHSV’s,  were 
tested  to  assure  an  FTL  of  dual  fail-operate  for  the  worst 
conditions.  The  electrical  and  hydraulic  power  systems  were 
tested  to  assure  that  the  failure  effects  on  the  total  system 
would  result  in  an  FTL  of  single  fail-operate  and  dual  fail¬ 
safe.  The  failure  modes  covered  in  the  subsequent 
subsections  were  simulated  using  the  switches  on  the  Failure 
Simulation  Panel,  four  electrical  power  switches,  two 
hydraulic  hand  valves,  and  combinations  of  these  input 
devices.  Pertinent  parameters  were  measured  and  recorded  to 
define  failure  effects.  The  measurements  were  made  using  an 
oscilloscope.  Except  as  noted,  all  initial  conditions  were 
for  all  control  paths  and  power  supplies  to  be  operating. 

3. 5. 5.1  Control  Paths  and  Failure  Management  System 

Transient  Disturbances 

The  purpose  of  this  test  was  to  show  tolerance  to  EMI -type 
disturbances . 

Short  Pulse  -  Control  Path  la  Only 

•  Position  SW2  to  Pulse  position  and  use  SW1  momentarily  to 
apply  pulse  (about  0.2  sec).  Applied  pulse  should  result 
in  a  short  duration  jump  of  the  actuator.  Control  path 
la  should  tolerate  this  disturbance  and  not  disengage. 

Result.  The  0.2-second  disturbance  to  the  actuator  resulted 
m  a  Dump  of  0.044  inch  and  restored  to  original  position. 

•  Adjust  pulse  width  to  approximately  0.4  second  and  apply 
pulse  to  path  la  (disengage  delay  time  set  for  0.35 
second) . 

Result.  Control  path  la  disengaged  and  the  system  restored. 

•  Reengage  control  path  la. 

First  Hard  Failure 

This  test  is  to  demonstrate  the  ability  of  the  system  to  manage 
hard  failures. 
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•  Position  SW2 ,  control  path  la  to  HARD  to  simulate  a  hard 
failure.  Use  oscilloscope  and  measure  and  record  actu¬ 
ator  displacement  and  time  required  for  recovery. 

Result.  Control  path  la  disengaged.  First  hard  failure 
displaced  the  actuator  0.044  inch  and  the  system  restored  after 
the  control  channel  was  disengaged  after  a  time  delay  of  0.35 
second,  which  was  arbitrarily  established  for  the  test  model. 

Second  Hard  Failure 


This  test  is  to  demonstrate  the  ability  of  the  system  to  manage 
dual  hard  failures. 

Position  SW2 ,  control  path  2a,  to  HARD  to  simulate  a 
second  hard  failure.  Control  path  2a  should  disengage. 
Measure  and  record  actuator  displacement  and  time 
required  for  recovery. 

Result.  Control  path  2a  disengaged.  The  second  failure  re¬ 
quires  a  higher  disagreement  between  the  EHSV's  than  for  the 
first  failure,  which  assures  a  more  positive  failure.  First 
failure  requires  a  faulty  path  to  cause  a  disagreement  of  about 
40  percent  (of  total  EHSV  displacement)  with  the  other  EHSVs 
to  effect  a  disengagement.  The  second  failure  requires  a 
disagreement  of  45  percent.  The  remaining  two  control  paths 
*  continued  to  operate  in  a  normal  manner. 

The  recovery  time  was  0.35  second  as  was  expected;  the  dis¬ 
placement  was  0.1  inch. 

•  Reengage  control  paths  la  and  2a. 

Single  Inert  Control  Path  Failure 

This  test  is  to  demonstrate  the  ability  of  the  system  to  sense 
inert- type  failures  without  requiring  large  valve  displacements. 

•  Position  SW5,  control  path  la  to  OPEN  to  simulate  an  open 
EHSV  coil.  Simulate  an  AFCS  input;  control  path  la 
should  disengage  immediately. 

Results .  SW5  opened  the  EHSV  coil  that  controls  the  LVDT 
feedback  signal  in  a  high  gain  negative  feedback  loop.  Unless 
the  control  path  under  test  is  perfectly  nulled,  the  open  coil 
will  be  detected  immediately  and  the  respective  control  paths 
will  disengage  with  no  actuator  jump.  Under  no  condition  was 
an  AFCS  signal  greater  than  ±2  mv  required  to  effect  a  disen¬ 
gagement  . 

•  Reengage  control  path  la. 
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Dual  Inert  Control  Path  Failure 


This  test  is  to  demonstrate  the  ability  to  manage  two  inert 
failures.  If  these  are  not  properly  managed,  a  "two-and- 
two"  vote  condition  can  occur.  This  system  recognizes  the 
condition  and  will  disengage  both  faulty  control  paths. 

•  Position  SW5,  control  paths  la  and  lb  to  OPEN  to  simulate 
two  open  EHSV  coils.  Simulate  an  AFCS  input,  control 
paths  la  and  lb  should  both  disengage.  Measure  the 
magnitude  of  the  AFCS  signal  reguired  to  effect  the 
disengagement . 

Result.  At  no  time  during  demonstration  did  the  two  channels 
fail  to  disengage.  Disengagement  occurred  instantly  when  the 
two  switches  were  opened. 

•  Reengage  control  paths  la  and  lb. 

Failure/Management  Circuitry  Failure  Plus  Associated  Control 
Path  Failure 


This  test  is  to  demonstrate  the  capability  of  the  system  to 
operate  with  one  control  path  failed  and  not  isolated  by  the 
normal  disengagement. 

•  •  Open  SW6,  control  path  la,  to  simulate  an  inert  Failure 
Management  System.  Position  SW2 ,  control  path  la,  to 
HARD  to  simulate  a  hard  failure.  The  hard  failure  should 
not  effect  a  disengagement  since  the  associated  failure 
management  circuitry  is  inoperative;  the  fault-tolerant 
actuation  system  should  still  be  operable  but  with  a 
slight  static  offset.  Measure  and  record  this  offset. 

Result.  The  offset  was  recorded  to  be  0.044  inch  of  actuator. 
System  functioned  in  a  normal  manner.  Threshold  was  ±2  mv. 

•  With  the  pilot's  control  locked,  record  the  stall  load 
for  this  condition  in  terms  of  pressure  on  load  actuator. 

Result.  500  psi  was  required  to  effect  a  stall  condition. 

The  primary  actuator  stalled  at  a  pressure  less  than  500  psi. 

•  Close  SW6;  control  path  la  should  disengage. 
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Results .  Control  path  la  disengaged  in  the  normal  delay  time 
after  SW6  was  closed. 


•  Disengage  control  path  lb. 

•  With  the  pilot's  mechanical  controls  locked,  measure 
stall  load.  This  should  be  about  the  same  as  for  the 
above  dual  failure  condition. 

Results.  500  psi  hydraulic  pressure  on  the  load  actuator 
stalled  the  AFCS  as  was  expected.  This  indicated  that  for 
the  preceding  test  condition,  the  affected  piston  was 
essentially  bypassed  by  the  operation  of  the  hard  failed 
EHSV  and  the  companion  EHSV. 

First  Failure  of  Triplex  Control  Path 

This  test  is  to  demonstrate  the  capability  of  managing  two 
failures  in  the  Triplex  AFCS  ahead  of  the  interface  unit. 

Position  SW4  to  OFF  to  simulate  a  failure  in  the  triplex 
control  path  Al.  Control  path  lb  should  disengage. 
Control  path  lb  has  a  shorter  time  delay  than  la  and 
operates  the  lb  disengagement  solid  state  switch  in  the 
interface  unit  before  control  path  la  can  disengage. 

After  the  switch  has  operated  to  effect  an  open  to  Al, 
control  path  la  will  restore  itself  to  correctly  track 
with  control  paths  2a  and  2b. 

Results .  Loss  of  signal  Al  caused  EHSV  coil  lb  to  have  a 
hard  signal  and  the  system  reacted  the  same  as  for  a  hard 
failed  signal.  The  control  path  automatically  disengaged 
after  the  failure  management  delay  time. 

Second  Failure  of  Triplex  Control  Path 

This  test  is  to  demonstrate  that  the  system  will  tolerate 
two  failures  on  the  triplex  control  paths  and  still  operate. 

•  Position  SW3  to  OFF  to  simulate  a  failure  in  triplex 
control  path  A2.  Control  path  2a  should  disengage.  As 
in  the  above  condition,  control  path  la  will  temporarily 
be  out  of  track  until  control  path  2a  is  disengaged. 

Results.  The  temporary  disruption  in  the  first  failure  caused 
the  actuator  to  jump  more  than  normally  experienced  for  a 
first  hard  failure.  Due  to  the  triplex/ guadruplex  design, 
a  failure  in  either  of  the  triplex  signals  created  a  failure 
in  the  dummy  control  path  la  as  well  as  the  failed  control 
path.  Control  path  la  has  a  longer  delay  than  control  paths 


2a,  lb,  or  2b  and  did  not  disengage;  however,  on  the  second 
failure,  two  additional  control  paths  would  trip  out.  Cir¬ 
cuitry  was  added  to  immediately  switch  out  the  failed  signal 
with  the  FET  switch  that  is  connected  to  the  dummy  channel. 

This  immediately  allows  the  dummy  control  path  to  track  pro¬ 
perly  again  as  well  as  to  reduce  the  actuator  jump.  This  addi¬ 
tional  circuitry  allows  two  control  paths  of  the  4-valve  sys¬ 
tem  to  work  properly  after  two  of  the  triplex  signals  have 
failed  and  allow  control  path  la  to  track  properly  at  all 
times.  The  dual  fail-operate  exceeds  the  single  fail-operate 
requirement. 

•  Returned  SW3  and  SW4  to  ON  position  and  reengaged  con¬ 
trol  paths  lb  and  2a. 

3. 5. 5. 2  Electrical  Power  Supply 

Single  Failure 

This  test  is  to  demonstrate  the  capability  of  the  actuation 
system  to  continue  operating  after  one  electrical  power  supply 
has  failed.  Power  Supply  No.  1  provided  power  to  control  paths 
la  and  lb  while  Supply  No.  2  provided  electrical  power  to 
control  paths  2a  and  2b.  The  existing  power  switches  on  the 
engage/disengage  panel  were  used  to  simulate  electrical  power 
supplies  No.  1  and  2. 

•  Position  power  switches  for  control  paths  la  and  lb  to 
OFF. 

Result.  Control  paths  la  and  lb  disengaged.  Control  paths 
2a  and  2b  continued  to  operate  in  a  normal  manner.  The  loss 
of  the  two  control  paths  does  not  change  the  ’’flow  gain"  of 
the  actuator;  however,  the  force  gain  was  reduced  to  one- 
half  of  the  normal  gain. 

Dual  Failure 


Purpose  of  this  test  is  to  demonstrate  that  if  both  electrical 
supplies  fail,  the  AFCS  actuator  will  automatically  center  at 
an  acceptable  rate  and  mechanically  lock  and  provide  a  pivot 
for  the  pilot's  mechanical  control  input.  The  second  failure 
is  fail-safe  in  that  the  pilot  can  still  fly  with  boosted 
manual  controls. 

•  With  the  AFCS  actuator  fully  extended  in  one  direction, 
position  the  power  switches  for  the  two  power  supplies  to 
the  OFF  position.  Measure  time  required  for  the  AFCS 
actuator  to  center. 
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Result.  All  control  paths  disengaged  and  the  AFCS  actuator 
centered  and  mechanically  locked.  Actuation  system  reverted 

♦  to  boosted  manual  controls.  Normal  time  was  approximately  one 
second  for  actuator  centering. 

•  Position  all  electrical  power  switches  to  ON. 

3. 5. 5. 3  Hydraulic  Power  Supply 

Single  Failure 

This  test  is  to  demonstrate  that  the  system  will  tolerate  a 
hydraulic  supply  failure  and  continue  operating. 

•  Close  the  No.  1  manual  valve  to  simulate  a  failure  of 
Hydraulic  Supply  No.  1. 

Result.  The  pressure-operated/spring-return  bypass  valve 
across  Piston  No.  1  opened  to  the  bypass  position  so  that 
Piston  No.  2  operated  unrestricted.  Control  paths  la  and  lb 
did  not  disengage  because  of  a  "two-and-two"  vote  condition. 
This  is  a  plus  since  it  demonstrates  the  AFCS  actuator  is  not 
vulnerable  to  hydraulic  transients.  In  addition,  the  pressure- 
operated  valve  on  the  primary  actuator  operated  to  connect 
Hydraulic  Supply  No.  2  to  the  primary  actuator. 

*  Dual  Failure 


This  test  was  to  demonstrate  that  the  actuation  system  was 
fail-safe  after  two  hydraulic  failures  in  that  it  will  revert 
to  manual  control. 

♦  Close  the  No.  2  manual  valve  to  simulate  a  failure  of 
Hydraulic  Supply  No.  2. 

Result.  The  pressure-operated/spring-return  bypass  valve 
across  Piston  No.  2  moved  to  the  bypass  position  and  allowed 
the  centering  unit  to  center  and  lock  the  AFCS  actuator.  This 
provided  a  fixed  pivot  for  the  pilot's  input.  In  addition, 
the  pressure-operated/spring-return  valve  across  the  primary 
actuator  operated  to  effect  a  bypass  on  the  piston  to  allow 
freedom  of  movement  and,  hence,  revert  to  unboosted  controls. 


f 
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4 .  RECOMMENDAT I ONS 


♦ 


This  program  and  the  BHT  IR&D  program  have  confirmed  the 
validity  of  the  4-valve  actuation  concept  for  use  in  applica¬ 
tions  that  require  fault- tolerant  actuation  systems.  Hence, 
it  is  recommended  that  further  steps  be  taken  toward  obtain¬ 
ing  a  flight  test  model  of  a  control  system  using  this  con¬ 
cept.  In  a  subsequent  program,  it  is  recommended  to  go  to  a 
full  FBW  control  system  and  to  use  the  4- valve  actuator  as 
the  primary  actuator.  This  approach  would  afford  a  "smart" 
control  system  and  also  delete  the  mechanically  driven  primary 
actuator  as  well  as  the  associated  mechanical  interface.  It 
is  pointed  out,  however,  that  during  the  development  flight 
test  of  such  a  system,  the  mechanical  controls  could  be  re¬ 
tained  as  a  backup  control  system  for  the  safety  pilot.  At 
some  later  date  after  the  reliability  of  the  FBW  control 
system  has  been  validated,  the  mechanical  controls  could  be 
removed.  The  objective  of  this  follow-up  effort  would  be  to 
validate  a  flight  test  model. 

The  objective  could  be  obtained  in  the  three-phase  program 
outlined  below. 

4.1  PHASE  I 

This  phase  would  be  to  develop  circuit  and  actuator  configura¬ 
tions  suitable  for  use  in  a  flight  test  model.  This  would  in¬ 
clude  designing,  fabricating,  and  testing  a  laboratory  model 
of  the  circuitry  and  the  FBW  actuator  with  the  auxiliary  me¬ 
chanical  backup  controls. 

4.2  PHASE  II 

Prototype  hardware  for  the  flight  test  model  would  be  fabri¬ 
cated  and  qualified  under  this  phase  to  the  extent  necessary 
for  safety  of  flight.  Phase  II  should  also  include  a  system 
integration  bench  test. 

4.3  PHASE  III 

The  flight  test  model  of  the  4-valve  FBW  control  system  with 
the  auxiliary  mechanical  backup  control  would  be  validated 
in  this  phase.  It  would  include  installation,  ground  test, 
ground  run,  and  flight  test.  Extensive  failure  mode  testing 
would  be  accomplished  during  ground  test  and  ground  run. 

The  ground  run  test  would  also  include  a  prescribed  number 
of  hours  with  all  the  controls  being  moved  periodically.  A 
minimum  of  twenty  hours  of  flight  time  would  be  required. 
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After  the  developmental  flight  test  program,  it  is  recommended 
that  the  aircraft  be  assigned  to  duty  in  an  area  where  cogni¬ 
zant  personnel  could  maintain  the  control  system  and  provide 
guality  maintenance  records.  After  the  system  had  been  quali¬ 
fied  to  a  specified  maintenance  program  as  well  as  a  specified 
number  of  flight  hours,  the  4-valve  FBW  control  system  would 
be  considered  validated  and  subject  to  being  used  in  produc¬ 
tion  aircraft. 


APPENDIX  A 


TECHNICAL  DISCUSSION  OF  A  4-VALVE  ACTUATION  CONCEPT 

INTRODUCTORY  COMMENTS 


This  section  describes  the  basic  4-valve  actuation  concept  as 
it  relates  to  the  basic  control  elements.  It  provides  a  con¬ 
ceptual  description  of  the  electrical  links,  electrohydraulic 
interface,  power  actuators,  and  failure  management  system. 

The  actuator  configuration  may  be  a  redundant  tandem  piston  or 
a  parallel  actuator  configuration.  To  facilitate  the  descrip¬ 
tion  of  the  concept  in  the  subsequent  subsections,  a  conven¬ 
tional  dual  tandem  piston  configuration  will  be  used  (see 
Figures  Al  and  A 2 ) . 

To  provide  a  viable  fault-tolerant  control  system,  it  is 
necessary  to  have  an  adequate  number  of  reliable  control  paths 
and  actuators  for  each  control  channel  and,  also,  a  com¬ 
patible,  secure  failure  management  system.  The  system 
described  in  the  following  material  satisfies  the  control 
channel  requirement  and  includes  a  unique  concept  for  sensing 
and  isolating  a  failed  and/or  degraded  control  path. 

DESCRIPTION  OF  CONCEPT 

Summary.  The  basic  fault- tolerant  actuation  system  consists 
of  dual  hydraulic  primary  actuators,  quadruplex  electrical 
control  paths,  and  a  failure  management  system.  Two  electri¬ 
cal  control  paths  are  used  for  each  piston.  The  failure 
management  system  is  mechanically  interfaced  with  the  elec¬ 
trical  control  paths  to  provide  maximum  security.  It  provides 
automatic  disengagement  of  a  control  path  and  also  provides 
track  error  signals  that  are  used  in  the  control  paths  for 
automatic  alignment  of  the  four  valves. 

A  flight  test  model  of  this  system  would  include  a  master 
control  panel  and  an  annunciator  panel.  The  control  panel 
would  provide  the  necessary  control  functions,  preflight 
checkout  capability,  and  a  manual  reset  for  each  control 
channel.  The  annunciator  panel  would  indicate  the  operating 
condition  of  the  control  paths  and  would  operate  in  conjunc¬ 
tion  with  the  control  panel  for  the  preflight  checkout. 

FBW  Control  Paths.  A  control  axis  of  the  basic  4-valve  actu- 
ation  concept  consists  of  four  FBW  control  paths  and  a  dual 
piston  power  cylinder.  The  four  control  paths  connect  the 
AFCS  signals  to  the  power  actuator  cylinder  and  include  the 
four  electrohydraulic  servovalves  as  shown  in  Figure  A2. 
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The  dual  actuator  schematically  depicted  is  conventional, 
except  that  the  control  head  (spool  valve  assembly)  has  been 
replaced  with  the  four  electrohydraulic  servovalves. 

Figure  A2  is  a  functional  schematic  of  the  follow-up  system; 
i.e.,  the  dual  boost  actuator  is  slaved  to  the  AFCS  control 
inputs.  All  control  paths  are  identical  and  operate  simultan¬ 
eously.  A  control  input  to  the  amplifiers  proportionally 
opens  the  valves  and  drives  the  actuator  until  the  dual  feed¬ 
back  transducers  provide  feedback  signals  that  cancel  the  com¬ 
mand  signals  at  the  amplifier,  which  closes  the  valves  and 
hence  stops  the  actuator  at  a  new  position.  The  four  valves 
are  continuously  and  automatically  aligned  by  a  limited  author¬ 
ity  signal  that  is  inherent  in  the  failure  management  system 
(this  feature  is  discussed  in  more  detail  later).  The  dual  feed¬ 
back  transducers  can  be  single  elements  and  separately  located  to 
reduce  vulnerability  to  battle  damage  if  desired.  The  response 
of  the  actuator  can  be  shaped  to  improve  handling  qualities  as 
required. 

The  failure  logic  for  the  system  shown  in  Figure  A2  operates 
in  the  following  manner.  If  a  control  path  fails  (e.g.,  path 
la),  the  path  is  automatically  disengaged  and  Valve  la  is  cut 
off  to  prevent  leakage  of  fluid  from  one  side  of  the  piston  to 
the  other.  A  second  path  failure  will  be  disengaged  in  the 
same  manner.  If  the  second  failure  should  be  path  lb,  the 
logic  circuitry  will  automatically  engage  a  pressure-operated 
hydraulic  bypass  across  the  common  piston  so  that  the  failure 
will  not  restrict  the  operation  of  the  other  piston.  It  is 
pointed  out  that  if  a  first  failure  should  disable  the  failure 
management  system  (described  in  the  next  section),  the  control 
path  system,  shown  in  Figure  A2,  has  the  inherent  capability 
of  absorbing  a  second  failure.  This  is  possible  because,  for 
example,  if  Valve  la  should  fail  and  remain  hardover,  the 
other  three  valves  will  go  in  the  opposite  direction  to  oppose 
the  actuator  motion.  This  will  effect  a  bypass  around  the 
piston  common  to  Valves  la  and  lb  and,  hence,  will  allow  the 
other  piston  to  operate  without  any  appreciable  degradation. 

This  inherent  feature  appreciably  improves  the  overall  reli¬ 
ability  of  the  system  and  allows  a  comparatively  simple  failure 
management  system  to  be  used  in  place  of  a  conventional  voting 
scheme . 

Failure  Management  System 

The  failure  management  system  complements  the  control  paths  to 
provide  a  control  system  with  a  failure  tolerance  level  of 
dual  fail-operate.  It  also  includes  an  inherent  signal  that 
is  used  to  effect  a  limited  authority  and  an  automatic  align¬ 
ment  function  for  the  control  paths,  which  compensates  for 
differences  in  component  tolerance  build-up.  The  failure 
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management  system  consists  of  a  failure-sensing  function  and 
an  automatic  disengage  function.  These  functions  are  con¬ 
ceptually  described  in  the  following  paragraphs. 

The  addition  of  an  LVDT-type  position  transducer  to  the  porting 
stage  of  the  servovalves  (second  stage  on  conventional  servo¬ 
valves)  allows  the  failure  management  circuitry  to  be  mechan¬ 
ically  interfaced  with  the  control  paths.  This  feature 
affords  a  more  secure  means  of  sensing  a  failed  or  degraded 
control  path  without  reducing  the  reliability  of  the  control 
path  and,  hence,  the  transducer  can  be  used  to  cover  failures 
up  to  the  power  piston.  Several  other  ways  to  provide  a  valve 
feedback  signal  for  this  failure  monitor  concept  were 
considered.  For  example,  differential  pressure  across  the 
second  stage  of  a  conventional  servovalve  can  be  used.  Also, 
the  current  flow  through  the  first  stage  (flapper  valve  coil) 
can  be  used  and  is  more  economical.  However,  neither  of  these 
approaches  will  provide  100  percent  failure  coverage  and  were 
discarded  in  favor  of  the  valve  position  transducer  approach. 
Valves  of  this  type  are  currently  available. 

The  basic  failure  sensing  function  for  each  power  actuator 
channel  is  provided  simply  by  using  four  equal  value  resistors 
in  conjunction  with  the  4-valve  position  transducers.  Connec¬ 
tion  of  the  resistors  as  shown  in  Figure  A3  constitutes  a  very 
simple  and  reliable  logic  concept  that  allows  each  control 
path  to  comparatively  monitor  itself,  determine  a  failure,  and 
disengage  itself. 

Figure  A3  is  a  simplified  schematic  of  the  basic  concept  for 
sensing  a  failure.  For  normal  operation,  the  voltage  across 
the  valve  position  transducers  should  be  the  same.  Since  the 
voltages  across  the  transducers  are  the  same  regardless  of 
valve  position,  there  will  be  no  appreciable  current  in  the 
resistors.  Current  will  flow  only  in  the  resistors  when  the 
valve  positions  are  not  in  agreement.  If  one  control  path  has 
a  "hard"  failure,  the  respective  porting  stage  will  fully 
displace  while  the  others  will  partially  displace  in  the 
opposite  direction.  The  voltage  differences  will  cause  a 
current  in  the  resistor  associated  with  the  failed  control 
path  that  is  several  times  higher  than  the  current  in  the 
other  resistors,  thus  providing  a  means  for  identifying  the 
failed  path.  For  example,  if  Valve  2b  is  hardover,  the  other 
three  will  be  displaced  a  small  amount  (depending  on  the 
actuator  load  and  the  loop  gain  of  the  control  paths)  in  the 
opposite  direction  and  each  will  produce  a  transducer  output 
voltage.  The  equivalent  circuit  would  be  as  shown  on  the 
following  page. 
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As  indicated  in  the  equivalent  circuit,  the  voltage  from  the 
valve  transducer  in  the  failed  control  path  is  opposite  in 
polarity  from  the  other  three  transducers  and,  in  effect,  is 
in  series  and  will  he  additive. 


(V_V2b) 

*  The  current  I2b  =  R//3+R  Rla  =  Rlb  =  R2a  =  R2b  =  R 


_  3  <V-V2b> 

~  4  R 

The  current  in  each  of  the  other  three  resistors  would  be 


1  <V~V2b> 

4  R 

or  1/3  the  current  in  R2fc.  A  second  failure  would  produce  the 

following  current  condition  (assuming  the  second  failure  is  in 
path  E^b  and  the  switch,  S2b,  has  opened): 


.  <v->>  .  2  <V'Vlb> 

"  r/3+r  5  r 


« 
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(v-v,  ) 

Au 

The  current  in  the  other  two  resistors  would  be  1/3  - g -  or 

one-half  the  current  in  the  resistor  of  the  failed  path. 

In  both  cases,  the  failure  current  associated  with  the  failed 
path  is  high  enough  (compared  to  the  other  currents)  to  provide 
a  means  of  positive  identification  of  a  failure  or  degraded 
condition. 

Several  approaches  for  detecting  failures  were  considered. 

One  approach  was  to  simply  compare  the  magnitude  of  the  fail¬ 
ure  voltages  across  each  resistor  with  a  set  threshold.  This 
approach  is  simple,  straightforward,  and  is  valid.  The  second 
approach  was  to  use  a  comparison  technique  for  determining 
failure.  This  approach  is  not  quite  as  simple  as  the  first 
approach,  but  it  appeared  to  be  more  tolerant  of  failures  and 
was  used  in  the  BHT  FBW  program.  Subsequent  studies  have  indi¬ 
cated  that  the  first  approach  offers  some  advantages  and  will 
be  used  in  future  systems. 

The  automatic  disengage  function  is  the  part  of  the  failure 
management  system  that  makes  the  decision  if  a  failure  has 
occurred,  disengages  the  failed  control  path  if  required,  or 
as  an  adjunct,  provides  a  soft-fail  (e.g.,  high  null)  indi¬ 
cation  to  the  pilot  but  does  not  produce  a  disengagement. 

The  soft-fail  feature  is  a  cautionary  device  for  the  pilot 
and  also  can  be  used  as  Built-In  Test  Equipment  (BITE). 

The  automatic  disengage  function  for  each  control  path  uses 
a  unique  comparison  technique  to  detect  a  failure  and  a 
threshold  circuit  to  effect  a  disengagement  of  the  failed 
control  path.  The  detection  concept  is  based  on  the  failure 
signal  from  the  failed  control  path  being  three  times  higher 
than  the  other  failure  signals  for  a  first  failure  and  two 
times  higher  for  a  second  failure.  The  failure  threshold  for 
automatic  disengage  can  be  judiciously  established.  A  time- 
inhibit  circuit  has  been  included  to  require  the  failure  to 
exist  for  a  predetermined  time  period  (perhaps  0.5  second)  to 
effect  a  disengagement.  The  purpose  of  this  is  to  provide  a 
more  positive  indication  of  a  failure. 

As  shown  in  Figure  A4,  the  Valve  2b  failure  signal  is 
negative-peak  detected  and  applied  to  the  noninverting  input 
of  the  threshold  amplifier.  If  the  failure  signal  is  negative 
and  larger  than  the  threshold  voltage,  the  output  of  the 
threshold  amplifier  will  swing  from  a  hard  negative  voltage  to 
a  hard  positive  voltage,  which  is  applied  to  the  time- 
inhibited,  fast-recovery,  control  path  disengage  switch.  If 
the  failure  exists  for  the  required  time  period,  the  solid- 
state  switch  will  disengage  the  control  path  and  will  also 
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switch  open  the  valve  position  transducer  circuit  to  the 
resistor,  as  shown,  to  isolate  the  failure  from  further  inter- 

*  acting  with  the  failure  management  system. 

As  an  adjunct  to  the  above  described  basic  concept,  an  addi¬ 
tional  feature  was  incorporated  in  the  design  of  the  failure 
sensing  circuitry  that  affords  it  the  intelligence  to  differ¬ 
entiate  between  an  inert-type  failure  and  a  hard-signal  fail- 

*  ure.  This  feature  was  tested  in  the  BHT  FBW  laboratory  model 
and  proved  to  be  an  asset  to  the  concept.  The  EHSV  drive 
circuitry  has  been  designed  so  that  any  open  circuit  up  to 
the  valve  coil  would  create  a  hard  failure.  Hence,  the  most 
probable  cause  of  an  inert  failure  in  a  control  path  would 
be  an  "open"  in  the  EHSV  coil. 

During  a  cruise  condition,  and  especially  in  calm  air,  the 
EHSV's  displacements  are  comparatively  small.  Hence,  if  one 
path  becomes  inert,  the  disagreement  between  the  inert  con¬ 
trol  path  and  the  operating  paths  may  not  be  of  sufficient 
magnitude  to  overcome  the  set  threshold  and  effect  a  disen¬ 
gagement.  This  suggests  that  an  open  EHSV  coil  failure  could 
exist  for  some  time  without  disengaging  the  respective  channel. 
Hence,  a  simple  circuit  was  included  as  a  part  of  the  failure/ 
management  system  to  monitor  the  EHSV  coil  (see  Figure  A5). 

It  simply  relates  the  EHSV  coil  current  with  input  signal  to 
determine  an  open  EHSV  coil  and,  in  turn,  disengages  the 

t  respective  control  path. 

In  addition  to  providing  a  method  of  failure  detection  and 
automatic  disengage,  the  failure  management  system  provides 
a  signal  for  each  control  path  that  is  used  to  automatically 
keep  the  servovalves  aligned  (in- track).  The  four  valves, 

t  as  shown  in  Figure  A2,  will  normally  be  out  of  track  to  some 

degree  because  of  circuit  component  tolerances  and  mechanical 
misalignments.  The  disagreement  between  the  valves  will  de¬ 
grade  the  force  gain  of  the  actuator  for  small  inputs  about  a 
null  position.  The  voltage  signals  across  the  resistors 
shown  in  Figure  A3  can  be  used  directly  with  the  control  path 

*  circuitry  to  make  the  valves  track.  That  is,  voltage  signals 
(prior  to  peak  detection)  Ela,  Elb,  E2fl,  and  E2b  can  be  used 

directly  as  driving  signals  to  their  respective  control  path 
amplifiers  to  effect  an  alignment  of  the  valves.  This  func¬ 
tion  is  made  fail-safe  by  limiting  the  control  authority  of 

.  the  signal. 
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THRESHOLD 


Figure  A5.  Inert  failure  monitor  for  driver  state  and 
coil  -  1  required  per  piston. 
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1 .  SCOPE 


The  objective  of  the  Integrated  Test  Program  is  to  appraise 
the  4-valve  actuation  system  as  a  candidate  actuation  concept 
for  use  in  the  control  system  of  a  test  vehicle.  The  plan  has 
been  devised  to  evaluate  the  actuation  concept  in  terms  of 
operational  suitability  as  well  as  its  ability  to  tolerate 
failures . 

The  following  sections  describe  the  subject  equipment,  test 
stand,  auxiliary  equipment,  procedures  for  integrating  the 
equipment,  and  means  for  determining  operational  suitability, 
failure  mode  testing,  and  failure  effects. 


2.  DESCRIPTION  OF  HARDWARE 


2.1  GENERAL  DESCRIPTION 

The  test  system  consists  of  a  primary/AFCS  actuator  assembly; 
load  actuator  and  control  circuitry;  failure  management  and 
electronic  control  circuitry  for  AFCS  (4-valve)  actuator;  and 
a  failure  simulation  panel.  These  equipments  are  installed  on 
a  laboratory  test  stand  having  hydraulic  and  electrical  sup¬ 
plies  that  are  configured  to  simulate  dual  supplies.  Either 
hydraulic  supply  will  operate  the  primary  actuator  through  a 
pressure-operated  selector  valve.  Hydraulic  Supply  No.  1  and 
Electrical  Supply  No.  1  provide  power  for  control  paths  2a  and 
2b.  Figure  11  is  a  photograph  of  the  equipment  and  the  test 
stand.  Figure  B1  is  a  schematic  of  the  system. 

2.2  PRIMARY/ARCS  ACTUATOR  ASSEMBLY 

The  AFCS  (4-valve)  actuator  is  interfaced  with  the  primary 
actuator  (see  Figure  11)  to  effect  a  differential  mixing  with 
the  pilot's  input.  Hence,  the  output  of  the  primary  actuator 
is  a  summation  of  the  pilot's  control  input  and  the  AFCS 
input.  Some  friction  in  the  pilot's  control  will  probably  be 
required  to  prevent  motion  of  the  actuator  from  being  felt  in 
the  pilot's  controls  that  may  occur  because  of  the  short 
linkage  arrangement. 

The  AFCS  actuator  has  a  displacement  authority  of  about  ±50 
percent  of  the  total  displacement  of  the  primary  actuator. 

As  shown,  hard  stops  are  located  on  the  output  of  the  primary 
actuator  to  prevent  overtravel  of  the  control  system.  The 
spring  centering  device  is  logically  interfaced  with  the  AFCS 
actuation  system  so  that  it  will  center  and  lock  in  the  absence 
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Figure  Bl.  Schematic  of  laboratory  model  of  actuation  system. 
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of  hydraulic  pressure  or  electrical  power  on  at  least  one 
solenoid  valve. 


The  primary/AFCS  actuator  assembly  has  been  designed  so  that 
existing  hardware  could  be  used  where  practical.  Accordingly, 
the  stroke  of  the  AFCS  actuator  has  been  limited  to  about  0.6 
inch  to  allow  an  existing  spring-centering  device  to  be  used 
to  center  and  mechanically  lock  the  AFCS  actuator  when  it  is 
disengaged  or  in  the  event  of  total  loss  of  electrical  or 
hydraulic  power.  This  configuration  will  satisfy  the 
functional  requirements  as  planned.  To  evaluate  it  in  the 
proper  perspective,  however,  thresholds,  failure  effects,  etc., 
should  be  evaluated  in  terms  of  percent  of  full  stroke  capa¬ 
bility  since  the  EHSV  flow  gains  and  associated  loop  gains 
have  been  designed  for  compatibility  with  the  actuator  size 
and  flow  requirements.  Also,  the  pilot's  mechanical  input  to 
actuator  output  gain  has  been  mechanized  so  that  full  pilot 
stroke  produces  about  1.2  inches  of  actuator  stroke.  This 
ratio  needs  to  be  considered  when  qualitatively  appraising 
the  "feel"  of  the  mechanical  controls. 

2.3  LOAD  ACTUATOR  AND  CONTROL  CIRCUITRY 

The  load  actuator  can  be  identified  in  Figure  11  as  the  actu¬ 
ator  connected  to  the  end  of  the  pivoted  beam.  As  shown,  it 
is  connected  in  parallel  with  the  primary  actuator  so  that 
it  can  be  used  for  simulating  reactionary  loads  from  the 
output  control  elements;  e.g.,  the  swashplate.  The  load 
actuator  is  controlled  by  the  control  circuitry  that  can  be 
identified  in  Figure  11  as  the  small  circuit  board  on  the 
lower  right.  The  circuitry  is  connected  to  the  actuator  to 
effect  a  closed  loop.  A  gain  potentiometer  is  used  to  provide 
a  means  for  controlling  the  magnitude  of  the  load. 

2.4  FAILURE  MANAGEMENT  AND  ELECTRONIC  CONTROL  CIRCUITRY 

Figure  B3  is  a  schematic  of  the  failure  management  and  elec¬ 
tronic  control  circuitry  as  well  as  the  test  circuitry  for 
simulating  failures.  This  circuitry  is  shown  in  Figure  11. 
Each  of  the  squares  on  the  large  circuit  board  and  the  asso¬ 
ciated  drive  signal  constitutes  a  control  link  from  the 
T/QIU.  The  T/QIU  is  located  on  the  lower  portion  of  the 
circuit  board  that  is  immediately  to  the  right  of  the  large 
board  in  the  photograph  and  also  schematically  shown  in  Figure 
B2.  AFCS  inputs  will  be  simulated  manually  with  the  light¬ 
weight  control  stick  shown  in  Figure  11  and  schematically 
shown  in  Figure  B2  as  the  three  potentiometers  that  provide  a 
driving  signal  for  the  triplex/quadruplex  interface  unit. 
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2.5  FAILURE  SIMULATION  PANEL 


The  Failure  Simulation  Panel  is  located  immediately  above  the 
T/QIU  circuitry  (see  Figure  11)  and  is  schematically  shown  in 
Figure  B2  for  control  path  la.  The  switching  circuitry  pro¬ 
vides  the  capability  of  simulating  the  following  failure  modes 
for  each  control  path. 

•  Transient  input  (pulse) 

•  Hard  control  path  failure 

•  Hard  and  open  failure  in  two  triplex  links  (A1  and  A2) 

•  Open  EHSV  coil 

•  Inert  failure  management  system 


3.  INTEGRATION  TEST  OF  EQUIPMENT 


3.1  FUNCTIONAL  TEST 

3.1.1  Primary/Load  Actuator  Configuration 

3. 1.1. 2  Hydraulics  ON.  Move  pilot's  controls  from  stop  to 
stop  and  qualitatively  check  for  operational  suitablity.  Note 
dead  spots,  thresholds,  breakout  forces,  etc.  Turn  off  Supply 
No.  1;  Supply  No.  2  should  automatically  take  over.  Apply 
pressure  to  load  actuator  and  with  an  appreciable  amount  of 
load,  move  primary  actuator  from  stop  to  stop  to  assure  proper 
operation. 

3.1.2  Fault-Tolerant  AFCS  Actuation  System 

The  basic  electronic  circuitry  was  used  on  a  similar  program 
and  therefore  it  can  be  assumed  that  all  the  closed  loops  are 
stable.  The  control  paths,  however,  will  be  realigned  to 
assure  proper  operation.  Each  control  path  will  be  aligned 
and  tested  separately  under  the  conditions  stated  below. 
Reference  should  be  made  to  Figure  B2  for  supplemental  infor¬ 
mation.  It  is  pointed  out  that  the  operational  amplifiers  are 
operated  at  +28  VDC  to  ground  with  +14  VDC  used  as  common. 

3. 1.2.1  Alignment  and  Test  of  Control  Paths 


Control  Path  la 
Conditions ; 


Hydraulic  power  ON 

Electrical  power  ON 

All  solenoid  valves  disconnected 

EHSV  coil  shorted  across 

TP5  shorted  to  +14  VDC 

Control  Path  la  engaged 
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EHSV  Tracking  Loop 

The  purpose  of  the  loop  is  to  maintain  EHSV  track  with  the 

other  EHSVs . 

•  Adjust  "Pot  1"  to  null  "TP1"  (reference  +14  VDC).  This 
operation  assumes  the  mechanical  null  of  the  EHSV  is 
correct  and  aligns  the  tracking  loop  accordingly.  The 
mechanical  null  is  accurate  to  ±2  percent,  which  is  con¬ 
sidered  an  adequate  reference  since  the  second  stage  of 
the  EHSV  has  an  overlap  of  ±10  percent. 

EHSV  Feedback  Loop 

The  purpose  of  this  loop  is  to  improve  the  linearity  of  the 

EHSVs  and  to  maintain  the  null  alignment. 

•  Adjust  "Pot  2"  to  null  "TP2"  (reference  +14  VDC).  This 
adjustment  aligns  the  output  of  the  feedback  with  the 
assumed  mechanical  null  of  the  EHSV. 

Frequency  Response  Test 

Conditions:  •  Hydraulic  power  ON 

•  Electrical  power  ON 

•  All  solenoid  valves  disconnected 
Short  across  EHSV  la  removed 

•  Control  path  la  engaged 

•  Open  SW4  and  connect  a  frequency 

source  across  the  normally  closed 
contacts  to  effect  a  series  input 

•  Short  on  TP5  removed 

•  Adjust  AFCS  input  to  effect  a  null  at  TP5. 

•  Conduct  frequency  response  of  the  control  path  and  EHSV 
using  the  LVDT  as  the  output  element. 

Control  Paths  lb,  2a,  and  2b 

Same  as  control  path  la.  Only  the  control  path  in  test 

should  be  engaged. 

3. 1.2. 2  Alignment  of  Electromechanical  Transducers 

Actuator  Feedback  Transducers 


Conditions:  •  Hydraulic  power  ON 

•  Electrical  power  ON 

•  Solenoid  valves  la  (only)  connected 

•  Control  paths  la  engaged 
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Use  AFCS  simulation  controller  and  position  4-valve  actuator 
in  increments  and  determine  sensitivity  in  terms  of  volts 
per  inch  of  actuator  travel. 

Use  controller  and  drive  4-valve  actuator  in  increments 
and  measure  track  error  from  stop  to  stop. 

Trim  feedback  transducers  using  transducer  la  as 
reference. 


AFCS  Simulated  Control  Transducers 
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Conditions:  Same  as  above 

•  Use  same  procedure  as  above  on  triplex  controller  for 
control  paths  Al,  A2,  A3. 

•  If  necessary,  trim  the  gain  of  summing  amplifier  in 
interface  unit  to  make  control  path  la  track  with  other 
paths. 

3. 1.2. 3  Autotrackinq  Loop  Test 
Control  Path  la 

Conditions :  ♦  Hydraulid  power  ON 

Electrical  power  ON 

♦  4  solenoid  valves  disconnected 

•  All  control  paths  disengaged 

•  Short  TP5  to  14  VDC  in  all  control  paths  to  isolate  the 
control  input. 

•  Engage  control  path  la,  then  the  other  paths  one  at  a 
time. 

•  Use  pulse  key  on  failure  simulation  panel  and  apply 
pulse  to  control  path  la.  Qualitatively  observe  the 
output  of  LVDT  la  on  an  oscilloscope  and  not  stabil¬ 
ity  characteristics. 

•  Remove  short  from  TP5  in  all  control  paths. 

•  Connect  path  la  solenoid. 

•  Engage  control  path  la;  4-valve  AFCS  actuator  will  now 
track  simulated  AFCS  input. 
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•  Drive  AFCS  actuator  from  stop-to-stop  and  examine  for 
interferences  over  the  complete  range  of  the  pilot's 
mechanical  input.  The  friction  unit  on  the  pilot's 
controls  will  probably  have  to  carry  some  friction 
because  of  the  short  link  arrangements. 

•  Repeat  with  some  load  applied  by  the  load  actuator. 

Apply  step  input  to  AFCS  actuator  and  observe  stability 
characteristics  on  oscilloscope. 

•  Drive  AFCS  actuator  in  increments  over  full  travel  and 
check  tracking  of  each  control  path  by  recording  voltage 
on  TP6 .  This  is  the  signal  that  is  used  through  the 
limiting  diodes  at  TP1  for  autotracking  as  well  as  for 

a  signal  to  the  failure  management  circuitry. 

•  Tracking  is  expected  to  be  within  0.05  when  measured  in 
terms  of  total  actuator  displacement  capability. 

•  Connect  solenoids  for  control  paths  lb,  2a,  and  2b. 

•  Engage  control  path  lb. 

•  Apply  step  input  to  AFCS  actuator  and  qualitatively 
observe  stability  characteristics. 

•  Engage  control  paths  2a  and  2b. 

•  Apply  step  input  to  AFCS  actuator  and  qualitatively 
observe  stability  characteristics. 

•  Drive  AFCS  over  full  travel  in  increments. 

•  Record  tracking  errors  in  each  path  at  TP6. 

3.1.3  Composite  Test 

The  composite  test  is  a  quick  check  to  assure  that  simultaneous 
operation  of  the  primary  actuator  and  AFCS  actuator  does  not 
create  any  mechanical  interferences  or  objectionable  "feel"  in 
the  pilot's  controls. 

Conditions:  Electric  power  ON 

Hydraulic  power  ON 
4  control  paths  engaged 


♦  Simultaneously  apply  a  varying  input  to  the  AFCS  actuator 
while  the  primary  is  being  driven  throughout  its  dis¬ 
placement  range. 
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•  If  any  mechanical  interferences  or  objectionable  pilot 
"feel*'  characteristics  are  present,  they  should  be 
cleared  before  proceeding  to  the  Operational  Suitability 
Test. 

•  It  is  pointed  out  that  the  pilot  will  feel  the  motions 
of  the  AFCS  actuator  when  the  sum  of  the  AFCS  actuator 
and  his  input  exceeds  the  downstream  stops.  This  should 
be  recognized  as  a  normal  cue  that  the  controls  are  on 
the  stops. 

3.2  OPERATIONAL  SUITABILITY  TEST 

This  test  is  similar  to  the  above  functional  composite  test 
with  the  exception  that  the  operating  conditions  will  be 
varied  and  some  parameters  will  be  measured  and  recorded. 

The  purpose  of  this  test  is  to  provide  information  pertinent 
to  the  judging  of  the  operational  suitability  of  the  4-valve 
actuation  concept  for  use  in  the  NAVTOLAND  test  helicopter. 

3.2.1  Characteristics  Under  Normal  Conditions 

Conditions ;  Electrical  power  ON 
Hydraulic  power  ON 
4  control  paths  engaged 
Load  actuator  adjusted  for  typical  static 
load 

•  Measure  displacement  threshold  of  pilot  controls  in  terms 
of  inches  at  top  of  stick.  This  will  actually  show  up  as 
a  "dead  spot"  in  the  controls.  For  this  to  be  meaning¬ 
ful,  the  measurement  should  be  corrected  to  reflect  the 
difference  in  the  short  linkage  control  ratio  and  control 
ratio  in  the  test  helicopter. 

•  Measure  the  AFCS  input  threshold  in  volts  required  from 
the  simulated  inputs  to  effect  a  displacement  of  the  4- 
valve  actuator.  As  in  the  above  case,  this  measurement 
should  be  corrected  to  read  in  terms  of  percent  of  the 
actual  capable  travel  of  the  4-valve  actuator. 

•  Qualitatively  evaluate  pilot  and  AFCS  characteristics 
while  both  are  operating  simultaneously.  Observe 
objectionable  "dead  spot"  effects  that  may  occur  when 
the  direction  of  the  AFCS  actuator  is  reversed. 

3.2.2  Characteristics  Under  Single-Failure  Conditions 

Conditions :  Same  as  3.2.1  except  control  path 

la  is  disengaged. 

Procedure:  Same  as  3.2.1. 
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3.2.3  Characteristics  Under  Dual  Failure  Conditions 


3. 2. 3.1  Two  Companion  Control  Paths  (share  same  piston) 


Conditions : 


Procedures ; 


Same  as  3.2.1  except  control  paths  la  and 
lb  are  disengaged. 

Same  as  3.2.1. 


3. 2. 3. 2  Two  Control  Paths  not  Sharing  Same  Piston 


Conditions : 


Procedures : 


Same  as  3.2.1  except  control  paths  la  and 
2a  are  disengaged. 

Same  as  3.2.1. 


3. 2. 3. 3  One  Control  Path  And  Associated  Failure  Management 
Circuit 


Conditions : 


Procedure : 


Same  as  3.2.1  except  control  path  la  is 
failed  "hard”  and  Failure  Management  cir¬ 
cuit  la  is  inoperative. 

Same  as  3.2.1. 


3.2.4  Characteristics  Under  Failure  of  One  Electrical  Suppl 


Conditions :  Same  as  3.2.1  except  electrical  supply  to 

control  paths  la  and  lb  are  off. 


Procedures : 


Same  as  3.2.1. 


3.2.5  Characteristics  under  Complete  Failure  of  Electrical 


and  Hydraulic  Power 


Conditions : 


Procedure : 


Same  as  3.2.1  except  all  electrical  and 
hydraulic  power  supply  turned  off. 

Same  as  3.2.1  except  no  test  required  on 
AFCS  actuation  unit. 


4.  FAILURE  MODES  AND  EFFECT  TEST 


The  tests  in  this  section  cover  the  basic  type  of  failures 
that  can  occur.  The  intent  is  to  validate  the  4-valve  actu¬ 
ation  concept  as  a  viable  fault-tolerant  actuation  system. 
The  AFCS  control  paths,  up  to  and  including  the  EHSVs,  will 
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be  tested  to  assure  a  failure  tolerance  level  (FTL)  of  dual 
fail-operate  for  the  worst  conditions.  The  electrical  and 
hydraulic  power  systems  will  be  tested  to  assure  that  the 
failure  effects  on  the  total  system  will  result  in  an  FTL  of 
single  fail-operate  and  dual  fail-safe. 

The  failure  modes  covered  in  the  subsequent  subsections  will 
be  simulated  using  the  switches  on  Failure  Simulation  Panel; 
four  electrical  power  switches,  two  hydraulic  hand  valves,  and 
combinations  of  these  input  devices.  Pertinent  parameters 
will  be  measured  and  recorded  to  define  failure  effects.  The 
measurements  will  be  made  using  an  oscilloscope.  Except  as 
noted,  all  initial  conditions  will  be  for  all  control  paths 
and  power  supplies  will  be  operating. 

4.1  CONTROL  PATHS  AND  FAILURE  MANAGEMENT  SYSTEM 


4.1.1  Transient  Disturbances 

The  purpose  of  this  test  is  to  show  tolerance  to  EMI -type 
disturbances. 

4. 1.1.1  Short  Pulse  -  Control  Path  la  Only 

•  Position  SW2  to  PULSE  position  and  use  momentary  SW1  ap¬ 
plication  to  apply  pulse  (about  0.2-second  pulse). 

•  Applied  pulse  should  result  in  a  short  duration  jump  at 
the  actuator.  Control  path  la  should  tolerate  this 
disturbance  and  not  disengage. 

•  Adjust  pulse  width  to  about  0.4  second  and  apply  pulse. 
Control  path  la  should  disengage. 

•  Reengage  control  path  la. 

4.1.2  First  Hard  Failure 

This  test  is  to  demonstrate  the  ability  of  the  system  to 
manage  hard  failures. 

•  Position  SW2,  control  path  la,  to  HARD  to  simulate  a  hard 
failure. 

•  Control  path  la  should  disengage. 

•  Use  oscilloscope  and  measure  and  record  actuator  dis¬ 
placement  and  time  required  for  recovery. 
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4.1.3  Second  Hard  Failure 

*  This  test  is  to  demonstrate  the  ability  of  the  system  to 
manage  dual  hard  failures. 

Position  SW2,  control  path  2a,  to  HARD  to  simulate  a 
second  hard  failure. 

*  •  Control  path  la  should  disengage. 

•  Measure  and  record  actuator  displacement  and  time 
required  for  recovery. 

•  Reengage  control  paths  la  and  2a. 

4.1.4  Single  Inert  Control  Path  Failure 

This  test  is  to  demonstrate  the  ability  of  the  system  to 
manage  inert-type  failures  without  requiring  large  actuator 
^  displacements  to  create  an  error  signal. 

•  Position  SW5,  control  path  la,  to  OPEN  to  simulate  an 
open  EHSV  coil. 

•  Simulate  an  AFCS  input;  control  path  la  should  disengage 

^  immediately. 

•  Measure  the  magnitude  of  the  AFCS  required  to  effect  a 
disengagement. 

•  Reengage  control  path  la. 

*  4.1.5  Dual  Inert  Control  Path  Failure 

This  test  is  to  demonstrate  the  ability  to  manage  two  inert 
failures.  If  these  are  not  properly  managed,  a  "two-and- 
two"  vote  condition  can  occur.  This  system  recognizes  the 
condition  and  will  disengage  both  faulty  control  paths. 

t 

•  Position  SW5,  control  paths  la  and  lb,  to  OPEN  to  simu¬ 
late  two  open  EHSV  coils. 

•  Simulate  an  AFCS  input;  control  paths  la  and  lb  should 
both  disengage . 

•  Measure  the  magnitude  of  the  AFCS  signal  required  to 
effect  the  disengagement. 

•  Reengage  control  paths  la  and  lb. 
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4.1.6  Failure  Management  Circuitry  Failure  Plus  Associated 
Control  Path  Failure 


This  test  is  to  demonstrate  the  capability  of  the  system  to 
operate  with  one  control  failed  and  not  isolated  by  the 
normal  disengagement. 

•  Open  SW6,  control  path  la,  to  simulate  an  inert  Failure 
Management  System. 

Position  SW2 ,  control  path  la,  to  HARD  to  simulate  a  hard 
failure. 

The  hard  failure  will  not  effect  a  disengagement  since 
the  associated  failure  management  circuitry  is  inopera¬ 
tive;  the  fault-tolerant  actuation  system  will  still  be 
operable  but  with  a  slight  static  offset. 

•  Measure  and  record  this  offset. 

•  Measure  and  record  the  stall  load  for  this  condition  in 
terms  of  pressure  on  load  actuator. 

•  Close  SW6;  control  path  la  should  disengage. 

•  Disengage  control  path  lb. 

•  Measure  stall  load;  this  should  be  about  the  same  as 
for  the  dual  failure  conditions. 

4.1.7  First  Failure  of  Triplex  Control  Path 

This  test  is  to  demonstrate  the  capability  of  managing 
failures  in  the  triplex  AFCS  ahead  of  the  interface  unit. 

Position  SW4  to  OFF  to  simulate  a  failure  in  the  triplex 
control  path  A1 . 

Control  path  lb  should  disengage.  Control  path  lb  has  a 
shorter  time  delay  than  la  and  operates  the  lb  disengage 
solid  state  switch  in  the  interface  unit  before  control 
path  la  can  disengage.  After  the  switch  has  operated  to 
effect  an  open  to  Al,  control  path  la  will  restore  itself 
to  correctly  track  with  control  paths  2a  and  2b. 

4.1.8  Second  Failure  of  Triplex  Control  Path 


This  test  is  to  demonstrate  that  the  system  will  tolerate 
two  failures  on  the  triplex  control  paths  and  still  operate. 
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•  Position  SW3  to  OFF  to  simulate  a  failure  in  triplex 
control  path  A2 . 

Control  path  2a  should  disengage.  As  in  the  above 
condition,  control  path  la  will  temporarily  be  out  of 
track  until  control  path  2a  is  disengaged. 

Return  SW3  and  SW4  to  ON  position  and  reengage  control 
paths  lb  and  2a. 

4.2  ELECTRICAL  POWER  SUPPLY 


4.2.1  Single  Failure 

This  test  is  to  demonstrate  the  capability  of  the  actuation 
system  to  continue  operating  after  one  electrical  power  supply 
has  failed.  Power  Supply  No.  1  provides  power  to  control 
paths  la  and  lb  while  Supply  No.  2  provides  electrical  power 
to  control  paths  2a  and  2b.  The  existing  power  switches  on 
the  Engage/Disengage  Panel  will  be  used  to  simulate  Electrical 
Power  Supplies  Nos.  1  and  2. 

•  Position  power  switches  for  control  paths  la  and  lb  to 
OFF. 

Control  paths  la  and  lb  will  disengage.  Control  paths 
2a  and  2b  will  continue  to  operate  in  a  normal  manner. 

The  loss  of  the  two  control  paths  will  not  change  the 
"flow  gain"  of  the  actuator;  however,  the  "force  gain" 
will  be  one-half  of  the  normal  gain. 

4.2.2  Dual  Failure 

The  purpose  of  this  test  is  to  demonstrate  that  if  both  elec¬ 
trical  supplies  fail,  the  AFCS  actuator  will  automatically 
center  at  an  acceptable  rate  and  mechanically  lock  and  provide 
a  pivot  for  the  pilot's  mechanical  control  inputs.  The  second 
failure  is  fail-safe  in  that  the  pilot  can  still  fly  with 
boosted  manual  controls. 

•  with  the  AFCS  actuator  fully  extended  in  one  direction, 
position  the  power  switches  for  control  paths  2a  and  2b 
to  OFF  position. 

Control  paths  2a  and  2b  will  disengage  and  the  AFCS 
actuator  will  center  and  mechanically  lock.  Actuation 
system  has  now  reverted  to  boosted  manual  controls. 

•  Measure  time  required  for  the  AFCS  actuator  to  center. 

•  Position  all  electrical  power  switches  to  ON. 
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4.3  HYDRAULIC  POWER  SUPPLY 
4.3.1  Single  Failure 


This  test  is  to  demonstrate  that  the  system  will  tolerate  a 
hydraulic  supply  failure  and  continue  operating. 

Close  the  No.  1  manual  valve  to  simulate  a  failure  of 
Hydraulic  Supply  No.  1. 

The  pressure-operated/spring-return  bypass  valve 
across  Piston  No.  1  will  open  to  the  bypass  position 
so  that  Piston  No.  2  can  operate  unrestricted.  Control 
paths  la  and  lb  will  not  disengage  because  of  a  "two-and- 
two"  vote  condition.  This  is  a  plus  since  it  demon¬ 
strates  that  the  AFCS  actuator  is  not  vulnerable  to 
hydraulic  transients.  In  addition,  the  pressure-oper¬ 
ated  valve  on  the  primary  actuator  will  operate  to 
connect  Hydraulic  Supply  No.  2  to  the  primary  actuator. 

4.3.2  Dual  Failure 

This  test  is  to  demonstrate  that  the  actuation  system  is 
fail-safe  after  two  hydraulic  failures  in  that  it  will  revert 
to  manual  control. 


•  Close  the  No.  2  manual  valve  to  simulate  a  failure  of 
Hydraulic  Supply  No.  2. 

The  pressure-operated/spring-return  bypass  valve  across 
Piston  No.  2  will  move  to  the  bypass  position,  which 
allows  the  pilot  to  manually  (no  boost)  control  the 
aircraft.  In  addition,  the  pressure-operated/spring- 
return  valve  across  the  primary  actuator  will  operate 
to  effect  a  bypass  on  the  piston  to  allow  freedom  of 
movement.  The  loss  of  both  supplies  to  the  centering 
device  allow  it  to  center  and  lock  the  AFCS  actuator. 

4.4  SUMMARY  DISCUSSION  ON  FAILURE  MODE  TESTING 

Supplemental  discussions  will  be  included  covering  the  test 
and  the  results  as  well  as  any  peculiarities  that  may  occur 
during  the  tests. 
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APPENDIX  C 


FAULT-TOLERANT  ACTUATOR  CONCEPT  RELIABILITY 

ANALYSIS 

1.  INTRODUCTION 


An  analysis  was  performed  to  provide  prediction  reliability 
values  for  the  FBW  actuator  concept.  The  concept  uses  a  dual 
hydraulic  power  actuator  (2  single  actuators),  four  electro- 
hydraulic  control  paths  (2  per  piston),  and  one  failure  manage¬ 
ment  unit  per  control  path.  The  failure  management  system 
consists  of  a  failure  sensing  function  and  an  automatic  dis¬ 
engage  function  for  each  of  the  four  control  paths.  Each 
power  actuator  is  electrically  controlled  by  EHSV  receiving 
commands  from  the  pilot’s  input  and  from  actuator  feedback 
sensors.  The  FBW  system  is  a  predominately  dual  fail-operate 
system  and  includes  the  following  components  per  control  path: 


Component .  Quantity 

EHSV  Feedback  Loop  Circuitry  4 

EHSV  Tracking  Loop  Circuitry  4 

EHSV  Open  Coil  Protection  Circuitry  4 

Failure  Management  Circuitry  4 

Trip lex/Quadrup lex  Circuitry  1 

On/Off  Switch  4 

Power  Supply  Circuitry  4 

Electrohydraulic  Servoactuator  1 

Solenoid  Switch  4 

Control  Motion  Sensor  4 

Feedback  Sensor  4 


The  reliability  analysis  covers  an  estimate  of  the  system, 
mission,  and  flight  safety  reliability. 
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2.  DEFINITIONS 


t 


Dual  fail-operate  system  -  A  system  that  can  tolerate  a  like 
failure  in  any  two  of  its  control  paths  and  still  operate 
undegraded.  Any  two  of  the  four  control  paths  are  adequate  to 
maintain  safety-of-f light  to  a  100  percent  probability. 

Failure  -  The  inability  of  an  item  to  perform  within  its 
specified  limits. 

Time  (for  reliability  values  in  the  analysis)  -  Flight  hours 
measured  from  time  of  lift-off  until  aircraft  touchdown. 

Mean-Time-Between-Failure  -  The  average  operational  flight 
hours  between  independent  failures . 

Mission  -  A  time  period  that  starts  after  preflight  checkout 
has  been  completed  and  the  system  is  determined  to  be  opera¬ 
tionally  ready,  measured  from  aircraft  lift-off  until  aircraft 
touchdown . 

System  Reliability  -  The  probability  that  an  operationally 
ready  mission-configured  system  of  the  aircraft  will  complete 
a  one-hour  mission  without  a  failure  requiring  corrective 
maintenance . 

Mission  Reliability  -  The  probability  that  an  operationally 
ready  mission-configured  system  of  the  aircraft  can  perform 
all  mission  functions  successfully  during  a  one-hour  mission. 

Flight  Safety  Reliability  -  The  probability  that  the  aircraft 
system  will  operate  for  a  one-hour  mission  without  the  occur¬ 
rence  of  an  in-flight  equipment  malfunction/failure  that  re¬ 
sults  in  injury  to  the  crew  that  would  preclude  them  from  per¬ 
forming  their  mission  or  will  not  permit  a  controlled  landing 
given  that  the  aircraft  is  operationally  ready  at  the  start 
of  the  mission. 
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3.  ANALYSIS 


The  analysis  was  prepared  following  the  procedures  and  using 
information  given  in  Sections  2  and  3  of  MIL-HDBK-217B. 

Failure  rate  data  for  components  not  covered  by  MIL-HDBK-217B 
were  derived  from  Navy  Maintenance,  Material  and  Management 
system  data  (3-M)  or  obtained  from  the  component  manufacturer. 
A  system  breakdown  in  terms  of  a  series  of  block  diagrams  was 
used  in  the  analysis  procedure.  The  component  tree  for  the 
FBW  actuator  concept  is  presented  in  Figure  Cl.  The  system 
block  diagram  is  presented  in  Figures  C2  through  C5. 


4.  RELIABILITY  ANALYSIS 


The  analysis  was  performed  to  estimate  the  reliability  of  the 
FBW  system  on  a  per-control-path  basis  and  for  the  system. 

(For  the  purpose  of  this  analysis,  the  system  is  defined  as 
one  power  actuator  and  the  four  control  paths  with  their 
associated  control  circuitry.) 

The  mission  analysis  was  performed  using  the  sources  refer¬ 
enced  in  Section  3.  The  mission  failure  rates  were  determined 
after  first  performing  a  limited  failure  modes  and  effects 
analysis  for  each  of  the  FBW  components.  The  components 
were  analyzed  to  determine  which  type  failure  modes  could 
cause  loss  of  a  function  that  would  affect  the  mission  and 
that  would  be  observable  by  the  crew  in  flight,  such  as  de¬ 
graded  performance  or  an  actuator  hardover.  Each  type  fail¬ 
ure  mode  that  could  be  experienced  by  each  component  was  as¬ 
signed  a  percent  of  occurrence.  For  example,  a  capacitor 
has  two  primary  failure  modes,  short  and  open.  Approximately 
80  percent  of  the  failure  occurrences  for  a  capacitor  would 
be  a  shorted  mode.  Therefore,  if  the  short  mode  of  the  capa¬ 
citor  would  be  noticeable  by  the  crew  or  affect  the  operation 
or  the  aircraft,  the  capacitor  failure  mode  failure  rate  would 
be  obtained  by  multiplying  the  component  failure  rate  by  the 
failure  mode  factor  of  0.80.  Next,  the  product  of  the  compo¬ 
nent  failure  rate  and  the  failure  mode  factor  are  summed.  This 
procedure  was  followed  for  each  component  of  the  FBW  actuator 
to  obtain  the  mission  analysis  results. 

In  addition  to  the  mission  analysis,  a  flight  safety  analysis 
was  also  performed  by  examining  each  component  failure  mode. 
This  analysis  was  conducted  to  determine  which  component 
failure  modes  could  result  in  complete  loss  of  function  of 
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Figure  Cl.  Concluded 
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Figure  C2.  System  reliability  block  diagram  of  the  FEW  actuator 
concept  common  components  and  corresponding  failure 
rates  (Xg  ) . 
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Figure  C3.  System  reliability  block  diagram  of  one  of  the  four 
FBW  actuator  concept  control  paths  and  corresponding 
component  failure  rates  Us  )  (failures  per  106  flight 
hours).  sj 
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Figure  C4.  Mission  reliability  block  diagram  of  the  FBW  actuator 
concept  common  components  and  corresponding  mission 
failure  rates  (X^  )  (failures  per  10°  flight  hours). 
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Figure  C5.  Mission  reliability  block  diagram  one  of  the  four 

FBW  actuator  concept  control  paths  and  corresponding 
component  failure  rates  (X  )  (failures  per  106  flight 
hours) .  Mj 
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the  FBW  actuator.  Similar  to  the  mission  analysis,  the 
failure  mode  failure  rates  for  each  component  causing  actuator 
function  loss  was  summed  to  obtain  the  flight  safety  analysis 
results . 

The  component  success  probabilities  for  one  hour  of  mission 
time  were  computed  using  the  exponent  reliability  equation: 

R  =  e_At  (1) 

where , 

e  =  exponential  distribution  value 
\  =  failure  rate  failures  per  flight  hour 
t  =  the  one  hour  of  mission  time 

R  =  the  probability  that  no  failure  will  occur  during 
time  t 

Failure  probabilities  (Q)  were  computed  using  the  equation: 

Q  =  1-R  (2) 

where, 

R  =  the  reliability  using  equation  (1) 

The  next  step  in  analysis  was  to  determine  the  success  path  for 

•  one  path  surviving 

•  two  paths  surviving 

•  three  paths  surviving 

•  for  all  paths  surviving 

The  probability  of  successful  operation  of  the  system  with 
all  paths  surviving  is  equal  to  the  product  of  each  item 
reliability: 


where , 

Rs  =  the  system  reliability 
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=  R2  =  the  reliability  of  each  single  actuator 

R, ,  R.,  Rc,  Ra  =  the  reliability  of  each  of  the  four  con- 
J  5  6  trol  paths 

The  probability  of  at  least  three  of  the  four  paths  surviving 
a  one  hour  mission  is: 

V3)  *  v  \  <4Rir  *  3R£'>  <4> 

where , 

rm  =  R,  =  R2  =  the  probability  of  success  of  one  of  the 
W1  single  actuators 

Rm,  =  R,  =  R.  =  R-  Rfi  =  the  probability  of  success  of  one 

of  the  four  control  paths 

The  probability  of  at  least  two  of  the  four  paths  surviving  a 
one  hour  mission  is: 

v2>  *  ^  <6Rji'  -  S' +  S.) +  <2%  -  (5) 

The  probability  of  at  least  one  of  the  four  paths  surviving 
a  one  hour  mission  is: 

V3>  *  rfs  *  <2^  -  %  2)(4RM'  -  6E«'  4  S'  -  S'»(6) 


5 .  RESULTS 


The  results  of  the  system  reliability  analysis  are  shown  in 
Table  Cl.  This  table  presents  the  failure  rate,  MTBF,  and  one 
f  hour  reliability  for  each  component  and  for  the  total  system. 

The  results  of  the  mission  reliability  analysis  are  shown  in 
Table  C2.  This  table  also  presents  the  failure  rate,  MTBF, 
and  one  hour  mission  reliability  for  each  major  component  and 
for  the  total  system. 

» 

Table  C3  presents  the  results  of  the  per  path  analysis  for 
mission  and  flight  safety  reliability.  This  table  shows  the 
probability  of  no  failures,  3-path  survival,  2-path  survival, 
and  1-path  survival. 
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TABLE  Cl.  PREDICTED  SYSTEM  RELIABILITY  OF  THE 
FLY-BY-WIRE  ACTUATOR  CONCEPT 

Failure  Rate  Mean  Time 

(Failures  per  Between  Failures 

_ 106  Flight  Hours)  (Flight  Hours) 


System 

932 

1073 

EHSV  Feedback  Loop 

Circuits  (4) 

88 

11364 

EHSV  Tracking  Loop 

Circuits  (4) 

88 

11364 

EHSV  Open  Coil  Protection 
Circuits  (4) 

55 

18182 

Failure  Management 

Circuits  (4) 

165 

6061 

Triplex/ Quadruplex 

Circuits  (1) 

16 

62500 

ON-OFF  Switch  (4) 

34 

29412 

Power  Supply 

Circuits  (4) 

92 

10870 

Control  Motion 

Sensors  (4) 

12 

83333 

Feedback 

Sensors  (4) 

12 

83333 

Dual  Hydraulic 

Actuator  (1) 

270 

3704 

Solenoid  Switches  (4) 

100 

10000 

101 


Reliability 
(One  Hour) 

.999069 

.999912 

.999912 

.999945 

.999835 

.999984 

.999966 

.999908 

.999988 

.999988 

.999730 

.999900 
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TABLE  C2. 

PREDICTED  MISSION  RELIABILITY  OF  THE 
FLY-BY-WIRE  ACTUATOR  CONCEPT 

Failure  Rate 
(Failures  per 
106  Flight  Hours) 

Mean  Time 
Between  Failures 
(Flight  Hours) 

Reliability 
(One  Hour) 

• 

System 

438 

2283 

.999562 

EHSV  Feedback  Loop 
Circuits  (4) 

68 

14706 

.999932 

* 

EHSV  Tracking  Loop 
Circuits  (4) 

22 

45454 

.999987 

EHSV  Open  Coil  Protection 

Circuits  (4)  28 

35714 

.999972 

Failure  Management 
Circuits  (4) 

118 

8475 

.999882 

Triplex/ Quadruplex 
Circuits  (1) 

2 

500000 

.999998 

i 

Power  Supply 

Circuits  (4) 

92 

10870 

.999908 

Control  Motion 

Sensors  (4) 

12 

83333 

.999988 

Feedback 

Sensors  (4) 

12 

83333 

.999988 

Dual  Hydraulic 
Actuator  (Less 

Valves)  (1) 

24 

41667 

.999976 

Hydraulic 

Servovalves  (4) 

30 

33333 

.999970 

Solenoid  Switches  (4) 

30 

33333 

.999970 
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TABLE  C3.  PATH  PROBABILITY  ANALYSIS 


* 


(One  Hour  Reliability) 

No  3-Path  2-Path  1-Path 

Failures _ Survival  Survival  Survival 


Mission  (Includes 

Hardovers)  .999562 

.9999759  .999999992 

Flight  Safety 

.999999999857 

* 
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In  performing  this  analysis,  a  few  basic  assumptions  were  made 

*  The  FBW  system  will  use  components  with  an  established 
reliability  history. 

*  All  components  will  be  subjected  to  a  burn-in  test  to 
eliminate  infant  mortality  failures  and  stabilize  fail¬ 
ure  rates. 

*  All  components  will  be  tested  to  the  expected  operating 
limits  in  the  true  installation  environment  during 
development. 

*  Cooling  air  will  be  used  whenever  the  system  is  energized 
to  eliminate  heat  related  problems. 

*  The  design  cycle  will  include  a  Test,  Analyze,  and  Fix 
(TAAF)  program  for  reliability  growth  and  evaluation. 
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